VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 53 of 87
  • CVE-2020-11111HigMar 31, 2020
    risk 0.50cvss 8.8epss 0.03

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

  • CVE-2020-10969HigMar 26, 2020
    risk 0.50cvss 8.8epss 0.03

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

  • CVE-2020-10968HigMar 26, 2020
    risk 0.50cvss 8.8epss 0.04

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

  • CVE-2020-10672HigMar 18, 2020
    risk 0.50cvss 8.8epss 0.03

    FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

  • CVE-2020-2123HigFeb 12, 2020
    risk 0.50cvss 8.8epss 0.02

    Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

  • CVE-2019-16317HigSep 14, 2019
    risk 0.50cvss 8.8epss 0.02

    In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory,…

  • CVE-2019-10086HigAug 20, 2019
    risk 0.50cvss 7.3epss 0.29

    In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the…

  • CVE-2019-12747HigJul 9, 2019
    risk 0.50cvss 8.8epss 0.02

    TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.

  • CVE-2019-7539HigMar 21, 2019
    risk 0.50cvss 8.8epss 0.02

    A code injection issue was discovered in ipycache through 2016-05-31.

  • CVE-2017-15089HigFeb 15, 2018
    risk 0.50cvss 8.8epss 0.03

    It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct…

  • CVE-2026-11860HigJun 15, 2026
    risk 0.49cvss epss 0.00

    Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation…

  • CVE-2026-24163HigMay 20, 2026
    risk 0.49cvss 7.5epss 0.01

    NVIDIA TRT-LLM for any platform contains a vulnerability in RPC testing, where an attacker could cause an unsafe deserialization. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure.

  • CVE-2025-33255HigMay 20, 2026
    risk 0.49cvss 7.5epss 0.01

    NVIDIA TRT-LLM for any platform contains a vulnerability in MPI server, where an attacker could cause an unsafe deserialization. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure.

  • CVE-2026-33233HigMay 19, 2026
    risk 0.49cvss 7.6epss 0.00

    AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.6.34 through 0.6.51, the backend deserializes Redis cache bytes using pickle.loads without integrity/authenticity checks. The write path…

  • CVE-2026-26978HigMay 18, 2026
    risk 0.49cvss epss 0.01

    FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX…

  • CVE-2026-42471HigMay 1, 2026
    risk 0.49cvss 8.1epss 0.02

    Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.

  • CVE-2026-22016HigApr 21, 2026
    risk 0.49cvss 7.5epss 0.01

    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle…

  • CVE-2026-23869HigApr 8, 2026
    risk 0.49cvss 7.5epss 0.02

    A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The…

  • CVE-2026-2020HigMar 7, 2026
    risk 0.49cvss 7.5epss 0.00

    The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's…

  • CVE-2026-24385HigMar 5, 2026
    risk 0.49cvss 7.5epss 0.00

    Deserialization of Untrusted Data vulnerability in gerritvanaaken Podlove Web Player podlove-web-player allows Object Injection.This issue affects Podlove Web Player: from n/a through <= 5.9.1.