VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 51 of 87
  • CVE-2026-3357HigApr 8, 2026
    risk 0.50cvss 8.8epss 0.00

    IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.

  • CVE-2026-32484HigMar 25, 2026
    risk 0.50cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection.This issue affects weForms: from n/a through <= 1.6.26.

  • CVE-2026-4735HigMar 24, 2026
    risk 0.50cvss epss 0.00

    Deserialization of Untrusted Data vulnerability in DTStack chunjun (‎chunjun-core/src/main/java/com/dtstack/chunjun/util modules). This vulnerability is associated with program files GsonUtil.Java. This issue affects chunjun: before 1.16.1.

  • CVE-2026-1323HigMar 17, 2026
    risk 0.50cvss 8.8epss 0.00

    The extension fails to properly define allowed classes used when deserializing transport failure metadata. An attacker may exploit this to execute untrusted serialized code. Note that an active exploit requires write access to the directory configured at…

  • CVE-2026-21665HigFeb 23, 2026
    risk 0.50cvss epss 0.00

    The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data. When these services are exposed to…

  • CVE-2026-1426HigFeb 18, 2026
    risk 0.50cvss 8.8epss 0.00

    The Advanced AJAX Product Filters plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.9.6 via deserialization of untrusted input in the shortcode_check function within the Live Composer compatibility layer. This makes it possible…

  • CVE-2025-14476HigDec 13, 2025
    risk 0.50cvss 8.8epss 0.00

    The Doubly – Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. This makes it possible for…

  • CVE-2025-47660HigMay 23, 2025
    risk 0.50cvss 8.8epss 0.00

    Deserialization of Untrusted Data vulnerability in Codexpert, Inc WC Affiliate wc-affiliate allows Object Injection.This issue affects WC Affiliate: from n/a through <= 2.16.

  • CVE-2025-31129HigMar 31, 2025
    risk 0.50cvss 8.8epss 0.01

    Jooby is a web framework for Java and Kotlin. The pac4j io.jooby.internal.pac4j.SessionStoreImpl#get module deserializes untrusted data. This vulnerability is fixed in 2.17.0 (2.x) and 3.7.0 (3.x).

  • CVE-2024-10957HigJan 4, 2025
    risk 0.50cvss 8.8epss 0.01

    The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to PHP Object Injection in all versions from 1.23.8 to 1.24.11 via deserialization of untrusted input in the 'recursive_unserialized_replace' function. This makes it possible for unauthenticated…

  • CVE-2024-42363HigAug 20, 2024
    risk 0.50cvss 8.8epss 0.01

    Prior to 3385, the user-controlled role parameter enters the application in the Kubernetes::RoleVerificationsController. The role parameter flows into the RoleConfigFile initializer and then into the Kubernetes::Util.parse_file method where it is unsafely deserialized using the…

  • CVE-2024-5726HigJul 18, 2024
    risk 0.50cvss 8.8epss 0.01

    The Timeline Event History plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1 via deserialization of untrusted input 'timelines-data' parameter. This makes it possible for authenticated attackers, with Contributor-level access…

  • CVE-2024-34515HigMay 5, 2024
    risk 0.50cvss 8.8epss 0.02

    image-optimizer before 1.7.3 allows PHAR deserialization, e.g., the phar:// protocol in arguments to file_exists().

  • CVE-2024-2693HigApr 9, 2024
    risk 0.50cvss 8.8epss 0.01

    The Link Whisper Free plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.7.1 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level…

  • CVE-2024-3018HigMar 30, 2024
    risk 0.50cvss 8.8epss 0.01

    The Essential Addons for Elementor plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.9.13 via deserialization of untrusted input from the 'error_resetpassword' attribute of the "Login | Register Form" widget (disabled by default).…

  • CVE-2024-1770HigMar 28, 2024
    risk 0.50cvss 8.8epss 0.01

    The Meta Tag Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.2 via deserialization of untrusted input in the get_post_data function. This makes it possible for authenticated attackers, with contributor access or…

  • CVE-2024-2025HigMar 23, 2024
    risk 0.50cvss 8.8epss 0.01

    The "BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages" plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.20 via deserialization of untrusted input in the get_simple_request function. This makes it…

  • CVE-2024-22284HigJan 24, 2024
    risk 0.50cvss 8.7epss 0.01

    Deserialization of Untrusted Data vulnerability in Thomas Belser Asgaros Forum.This issue affects Asgaros Forum: from n/a through 2.7.2.

  • CVE-2023-52206HigJan 8, 2024
    risk 0.50cvss 7.7epss 0.01

    Deserialization of Untrusted Data vulnerability in Live Composer Team Page Builder: Live Composer live-composer-page-builder.This issue affects Page Builder: Live Composer: from n/a through 1.5.25.

  • CVE-2023-6730HigDec 19, 2023
    risk 0.50cvss 8.8epss 0.01

    Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.