CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 53 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-11111 | — | Hig | 0.50 | 8.8 | 0.03 | Mar 31, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms). | |
| CVE-2020-10969 | — | Hig | 0.50 | 8.8 | 0.03 | Mar 26, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. | |
| CVE-2020-10968 | — | Hig | 0.50 | 8.8 | 0.04 | Mar 26, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). | |
| CVE-2020-10672 | — | Hig | 0.50 | 8.8 | 0.03 | Mar 18, 2020 | FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). | |
| CVE-2020-2123 | Hig | 0.50 | 8.8 | 0.02 | Feb 12, 2020 | Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. | ||
| CVE-2019-16317 | — | Hig | 0.50 | 8.8 | 0.02 | Sep 14, 2019 | In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory,… | |
| CVE-2019-10086 | Hig | 0.50 | 7.3 | 0.29 | Aug 20, 2019 | In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the… | ||
| CVE-2019-12747 | — | Hig | 0.50 | 8.8 | 0.02 | Jul 9, 2019 | TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data. | |
| CVE-2019-7539 | Hig | 0.50 | 8.8 | 0.02 | Mar 21, 2019 | A code injection issue was discovered in ipycache through 2016-05-31. | ||
| CVE-2017-15089 | Hig | 0.50 | 8.8 | 0.03 | Feb 15, 2018 | It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct… | ||
| CVE-2026-11860 | Hig | 0.49 | — | 0.00 | Jun 15, 2026 | Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation… | ||
| CVE-2026-24163 | Hig | 0.49 | 7.5 | 0.01 | May 20, 2026 | NVIDIA TRT-LLM for any platform contains a vulnerability in RPC testing, where an attacker could cause an unsafe deserialization. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure. | ||
| CVE-2025-33255 | Hig | 0.49 | 7.5 | 0.01 | May 20, 2026 | NVIDIA TRT-LLM for any platform contains a vulnerability in MPI server, where an attacker could cause an unsafe deserialization. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure. | ||
| CVE-2026-33233 | Hig | 0.49 | 7.6 | 0.00 | May 19, 2026 | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.6.34 through 0.6.51, the backend deserializes Redis cache bytes using pickle.loads without integrity/authenticity checks. The write path… | ||
| CVE-2026-26978 | Hig | 0.49 | — | 0.01 | May 18, 2026 | FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX… | ||
| CVE-2026-42471 | Hig | 0.49 | 8.1 | 0.02 | May 1, 2026 | Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server. | ||
| CVE-2026-22016 | Hig | 0.49 | 7.5 | 0.01 | Apr 21, 2026 | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle… | ||
| CVE-2026-23869 | — | Hig | 0.49 | 7.5 | 0.02 | Apr 8, 2026 | A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The… | |
| CVE-2026-2020 | Hig | 0.49 | 7.5 | 0.00 | Mar 7, 2026 | The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's… | ||
| CVE-2026-24385 | Hig | 0.49 | 7.5 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in gerritvanaaken Podlove Web Player podlove-web-player allows Object Injection.This issue affects Podlove Web Player: from n/a through <= 5.9.1. |
- risk 0.50cvss 8.8epss 0.03
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
- risk 0.50cvss 8.8epss 0.03
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
- risk 0.50cvss 8.8epss 0.04
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
- risk 0.50cvss 8.8epss 0.03
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
- risk 0.50cvss 8.8epss 0.02
Jenkins RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
- risk 0.50cvss 8.8epss 0.02
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory,…
- risk 0.50cvss 7.3epss 0.29
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the…
- risk 0.50cvss 8.8epss 0.02
TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserialization of Untrusted Data.
- risk 0.50cvss 8.8epss 0.02
A code injection issue was discovered in ipycache through 2016-05-31.
- risk 0.50cvss 8.8epss 0.03
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct…
- risk 0.49cvss —epss 0.00
Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation…
- risk 0.49cvss 7.5epss 0.01
NVIDIA TRT-LLM for any platform contains a vulnerability in RPC testing, where an attacker could cause an unsafe deserialization. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure.
- risk 0.49cvss 7.5epss 0.01
NVIDIA TRT-LLM for any platform contains a vulnerability in MPI server, where an attacker could cause an unsafe deserialization. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure.
- risk 0.49cvss 7.6epss 0.00
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.6.34 through 0.6.51, the backend deserializes Redis cache bytes using pickle.loads without integrity/authenticity checks. The write path…
- risk 0.49cvss —epss 0.01
FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX…
- risk 0.49cvss 8.1epss 0.02
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke client (Connection.php:76) calls unserialize() on data received from the server response, enabling client-side RCE if connecting to a malicious server.
- risk 0.49cvss 7.5epss 0.01
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle…
- risk 0.49cvss 7.5epss 0.02
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19.0.0 through 19.0.4, 19.1.0 through 19.1.5, and 19.2.0 through 19.2.4). The…
- risk 0.49cvss 7.5epss 0.00
The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's…
- risk 0.49cvss 7.5epss 0.00
Deserialization of Untrusted Data vulnerability in gerritvanaaken Podlove Web Player podlove-web-player allows Object Injection.This issue affects Podlove Web Player: from n/a through <= 5.9.1.