CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 5 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-49781 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions. | ||
| CVE-2026-49770 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions. | ||
| CVE-2026-49769 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions. | ||
| CVE-2026-49768 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions. | ||
| CVE-2026-49765 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions. | ||
| CVE-2026-49763 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions. | ||
| CVE-2026-49109 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 versions. | ||
| CVE-2026-49106 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions. | ||
| CVE-2026-49105 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions. | ||
| CVE-2026-49104 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions. | ||
| CVE-2026-49085 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions. | ||
| CVE-2026-27053 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions. | ||
| CVE-2026-39006 | Cri | 0.64 | 9.8 | 0.01 | Jun 15, 2026 | An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component. | ||
| CVE-2026-26142 | Cri | 0.64 | 9.8 | 0.02 | Jun 9, 2026 | Deserialization of untrusted data in Nuance PowerScribe allows an unauthorized attacker to execute code over a network. | ||
| CVE-2026-25550 | Cri | 0.64 | 9.8 | 0.01 | Jun 4, 2026 | Seagull Software BarTender 2010, 2016, and 2019 contain an unauthenticated remote code execution vulnerability in the .NET Remoting service exposed on TCP port 7375 via BtSystem.Service.exe. The service registers an unauthenticated singleton endpoint — BarTenderSystem for… | ||
| CVE-2026-47065 | — | Cri | 0.64 | 9.8 | 0.00 | Jun 3, 2026 | ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TC_PROXYCLASSDESC (the marker for a java.lang.reflect.Proxy ), JDK’s ObjectInputStream.readProxyDesc()… | |
| CVE-2026-7858 | Cri | 0.64 | 9.8 | 0.01 | Jun 1, 2026 | A Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x could lead to an unauthenticated remote code… | ||
| CVE-2026-7637 | Cri | 0.64 | 9.8 | 0.01 | May 20, 2026 | The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known… | ||
| CVE-2026-31072 | Cri | 0.64 | 9.8 | 0.01 | May 19, 2026 | The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically… | ||
| CVE-2026-7304 | Cri | 0.64 | 9.8 | 0.01 | May 18, 2026 | SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation. |
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions.
- risk 0.64cvss 9.8epss 0.01
An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component.
- risk 0.64cvss 9.8epss 0.02
Deserialization of untrusted data in Nuance PowerScribe allows an unauthorized attacker to execute code over a network.
- risk 0.64cvss 9.8epss 0.01
Seagull Software BarTender 2010, 2016, and 2019 contain an unauthenticated remote code execution vulnerability in the .NET Remoting service exposed on TCP port 7375 via BtSystem.Service.exe. The service registers an unauthenticated singleton endpoint — BarTenderSystem for…
- risk 0.64cvss 9.8epss 0.00
ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TC_PROXYCLASSDESC (the marker for a java.lang.reflect.Proxy ), JDK’s ObjectInputStream.readProxyDesc()…
- risk 0.64cvss 9.8epss 0.01
A Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x could lead to an unauthenticated remote code…
- risk 0.64cvss 9.8epss 0.01
The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known…
- risk 0.64cvss 9.8epss 0.01
The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically…
- risk 0.64cvss 9.8epss 0.01
SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation.