VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 50 of 87
  • CVE-2017-8829HigMay 8, 2017
    risk 0.51cvss 7.8epss 0.02

    Deserialization vulnerability in lintian through 2.5.50.3 allows attackers to trigger code execution by requesting a review of a source package with a crafted YAML file.

  • CVE-2011-2520HigJul 21, 2011
    risk 0.51cvss 7.8epss 0.00

    fw_dbus.py in system-config-firewall 1.2.29 and earlier uses the pickle Python module unsafely during D-Bus communication between the GUI and the backend, which might allow local users to gain privileges via a crafted serialized object.

  • CVE-2026-39532HigJun 15, 2026
    risk 0.50cvss 8.8epss 0.00

    Contributor PHP Object Injection in Events Calendar for GeoDirectory <= 2.3.25 versions.

  • CVE-2026-39474HigJun 15, 2026
    risk 0.50cvss 8.8epss 0.00

    Contributor PHP Object Injection in Post Duplicator <= 3.0.10 versions.

  • CVE-2026-52751HigJun 10, 2026
    risk 0.50cvss 8.8epss 0.01

    Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious project file with a ghidra:// URL that, when opened via File → Open Project,…

  • CVE-2026-42359HigJun 1, 2026
    risk 0.50cvss 8.8epss 0.01

    A bug in Apache Airflow's XCom PATCH endpoint `PATCH /api/v2/xcomEntries/{key}` allowed an authenticated UI/API user with XCom write permission on a Dag to set XCom entries under reserved key names (e.g. `return_value`) that the matching POST endpoint already validated against…

  • CVE-2026-47161HigMay 27, 2026
    risk 0.50cvss epss 0.00

    RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, RELATE LMS configures its Celery workers to accept and deserialize untrusted 'pickle' data. An attacker who can reach the message broker can execute arbitrary commands on the host…

  • CVE-2026-31232HigMay 12, 2026
    risk 0.50cvss 8.8epss 0.00

    The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process. When loading model files (.pt) from a user-specified directory (via the --model_dir argument), the…

  • CVE-2026-31219HigMay 12, 2026
    risk 0.50cvss 8.8epss 0.01

    The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502). When a user provides a single model file path (e.g., .pt or .pth) via…

  • CVE-2026-31218HigMay 12, 2026
    risk 0.50cvss 8.8epss 0.01

    The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502). When loading a model state dictionary from a state_dict.pt file via…

  • CVE-2026-41486HigMay 8, 2026
    risk 0.50cvss 8.8epss 0.00

    Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_shaped_tensor) globally in PyArrow. When PyArrow reads a Parquet file containing…

  • CVE-2026-5127HigMay 8, 2026
    risk 0.50cvss 8.8epss 0.01

    The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking…

  • CVE-2026-24186HigApr 28, 2026
    risk 0.50cvss 8.8epss 0.00

    NVIDIA FLARE SDK contains a vulnerability in FOBS, where an attacker may cause deserialization of untrusted data by sending a malicious FOBS- encoded message. A successful exploit of this vulnerability might lead to code execution.

  • CVE-2026-27172HigApr 27, 2026
    risk 0.50cvss 8.8epss 0.01

    The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without…

  • CVE-2026-40858HigApr 27, 2026
    risk 0.50cvss 8.8epss 0.01

    The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel…

  • CVE-2026-40473HigApr 27, 2026
    risk 0.50cvss 8.8epss 0.01

    The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests…

  • CVE-2026-40901HigApr 16, 2026
    risk 0.50cvss 8.8epss 0.01

    DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the…

  • CVE-2026-33858HigApr 13, 2026
    risk 0.50cvss 8.8epss 0.01

    Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low. Users are recommended to upgrade to…

  • CVE-2026-1462HigApr 13, 2026
    risk 0.50cvss 8.8epss 0.00

    A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables…

  • CVE-2026-35337HigApr 13, 2026
    risk 0.50cvss 8.8epss 0.01

    Deserialization of Untrusted Data vulnerability in Apache Storm. Versions Affected: before 2.8.6. Description: When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without…