CWE-502
Deserialization of Untrusted Data
BaseDraftLikelihood: Medium
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (970)
page 5 of 49| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-35171 | Cri | 0.64 | 9.8 | 0.00 | Apr 6, 2026 | Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during application startup. This is a critical remote code execution (RCE) vulnerability caused by unsafe use of logging.config.dictConfig() with user-controlled input. This vulnerability is fixed in 1.3.0. | |
| CVE-2026-34838 | Cri | 0.64 | 9.9 | 0.01 | Apr 2, 2026 | Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a vulnerability in the AbstractSettingsCollection model leads to insecure deserialization when these settings are loaded. By injecting a serialized FileCookieJar object into a setting string, an authenticated attacker can achieve Arbitrary File Write, leading directly to Remote Code Execution (RCE) on the server. This issue has been patched in versions 6.8.156, 25.0.90, and 26.0.12. | |
| CVE-2026-34877 | Cri | 0.64 | 9.8 | 0.00 | Apr 2, 2026 | An issue was discovered in Mbed TLS versions from 2.19.0 up to 3.6.5, Mbed TLS 4.0.0. Insufficient protection of serialized SSL context or session structures allows an attacker who can modify the serialized structures to induce memory corruption, leading to arbitrary code execution. This is caused by Incorrect Use of Privileged APIs. | |
| CVE-2026-4851 | Cri | 0.64 | 9.8 | 0.00 | Mar 29, 2026 | GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization. GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol. read_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval() $arg .= '$VAR1'; my $val = eval "no strict; $arg"; # line 40-41 $arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response: $VAR1 = do { system("..."); }; This executes on the client silently on every RPC call, as the return values remain correct. This functionality is by design but the trust requirement for the remote host is not documented in the distribution. | |
| CVE-2026-32512 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pelicula: from n/a through < 1.10. | |
| CVE-2026-32502 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6. | |
| CVE-2026-27095 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Object Injection.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through <= 5.6.0. | |
| CVE-2026-27084 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allows Object Injection.This issue affects Buisson: from n/a through <= 1.1.11. | |
| CVE-2026-27083 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in ThemeREX Work & Travel Company work-travel-company allows Object Injection.This issue affects Work & Travel Company: from n/a through <= 1.2. | |
| CVE-2026-27082 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through <= 1.3.12. | |
| CVE-2026-25429 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in wpdive Nexa Blocks nexa-blocks allows Object Injection.This issue affects Nexa Blocks: from n/a through <= 1.1.1. | |
| CVE-2026-25032 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in park_of_ideas Ricky ricky allows Object Injection.This issue affects Ricky: from n/a through < 2.31. | |
| CVE-2026-25031 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.This issue affects Tasty Daily: from n/a through < 1.27. | |
| CVE-2026-25030 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in park_of_ideas Goldish goldish allows Object Injection.This issue affects Goldish: from n/a through < 3.47. | |
| CVE-2026-25029 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allows Object Injection.This issue affects KIDZ: from n/a through <= 5.24. | |
| CVE-2026-24989 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in FantasticPlugins SUMO Affiliates Pro affs allows Object Injection.This issue affects SUMO Affiliates Pro: from n/a through < 11.4.0. | |
| CVE-2026-24378 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Object Injection.This issue affects EventPrime: from n/a through <= 4.2.8.0. | |
| CVE-2026-22507 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in AncoraThemes Beelove beelove allows Object Injection.This issue affects Beelove: from n/a through <= 1.2.6. | |
| CVE-2026-22500 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2-ce allows Object Injection.This issue affects m2 | Construction and Tools Store: from n/a through <= 1.1.2. | |
| CVE-2025-60237 | Cri | 0.64 | 9.8 | 0.00 | Mar 19, 2026 | Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object Injection.This issue affects Finag: from n/a through 1.5.0. |