VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 55 of 87
  • CVE-2018-12679HigApr 2, 2019
    risk 0.49cvss 7.5epss 0.01

    The Serialize.deserialize() method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, example collect CoAP server and client) when they receive crafted CoAP…

  • CVE-2018-10911HigSep 4, 2018
    risk 0.49cvss 7.5epss 0.03

    A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value.

  • CVE-2018-1310HigMay 23, 2018
    risk 0.49cvss 7.5epss 0.03

    Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache…

  • CVE-2018-7529HigMar 14, 2018
    risk 0.49cvss 7.5epss 0.02

    A Deserialization of Untrusted Data issue was discovered in OSIsoft PI Data Archive versions 2017 and prior. Unauthenticated users may modify deserialized data to send custom requests that crash the server.

  • CVE-2017-1000195HigNov 17, 2017
    risk 0.49cvss 7.5epss 0.02

    October CMS build 412 is vulnerable to PHP object injection in asset move functionality resulting in ability to delete files limited by file permissions on the server.

  • CVE-2017-9844HigJul 12, 2017
    risk 0.49cvss 7.5epss 0.06

    SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804. NOTE: The vendor states that the devserver package of…

  • CVE-2017-11143HigJul 10, 2017
    risk 0.49cvss 7.5epss 0.07

    In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.

  • CVE-2017-8804HigMay 7, 2017
    risk 0.49cvss 7.5epss 0.08

    The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used)…

  • CVE-2016-4483HigApr 11, 2017
    risk 0.49cvss 7.5epss 0.06

    The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate…

  • CVE-2026-37552HigMay 1, 2026
    risk 0.48cvss 8.4epss 0.00

    Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via call_user_func(). No authentication or signature…

  • CVE-2025-54886HigAug 8, 2025
    risk 0.48cvss 8.4epss 0.00

    skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.get_model does not contain any logic to prevent arbitrary code execution. The Card.get_model function supports both joblib and skops for model…

  • CVE-2025-3425HigApr 7, 2025
    risk 0.48cvss epss 0.00

    The IntelliSpace portal application utilizes .NET Remoting for its functionality. The vulnerability arises from the exploitation of port 755 through the deserialization vulnerability. After analyzing the configuration files, we observed that the server had set the…

  • CVE-2025-22510HigJan 9, 2025
    risk 0.48cvss 7.2epss 0.01

    Deserialization of Untrusted Data vulnerability in kkarpieszuk WC Price History for Omnibus wc-price-history allows Object Injection.This issue affects WC Price History for Omnibus: from n/a through <= 2.1.4.

  • CVE-2024-35780HigJun 19, 2024
    risk 0.48cvss 8.5epss 0.00

    Deserialization of Untrusted Data vulnerability in Live Composer Team Page Builder: Live Composer.This issue affects Page Builder: Live Composer: from n/a through 1.5.42.

  • CVE-2024-32876HigApr 24, 2024
    risk 0.48cvss 8.5epss 0.00

    NewPipe is an Android app for video streaming written in Java. It supports exporting and importing backups, as a way to let users move their data to a new device effortlessly. However, in versions 0.13.4 through 0.26.1, importing a backup file from an untrusted source could have…

  • CVE-2024-3054HigApr 12, 2024
    risk 0.48cvss 7.2epss 0.42

    WPvivid Backup & Migration Plugin for WordPress is vulnerable to PHAR Deserialization in all versions up to, and including, 0.9.99 via deserialization of untrusted input at the wpvividstg_get_custom_exclude_path_free action. This is due to the plugin not providing sufficient…

  • CVE-2023-27459HigMar 26, 2024
    risk 0.48cvss 7.4epss 0.01

    Deserialization of Untrusted Data vulnerability in WPEverest User Registration.This issue affects User Registration: from n/a through 2.3.2.1.

  • CVE-2023-46147HigDec 20, 2023
    risk 0.48cvss 7.4epss 0.00

    Deserialization of Untrusted Data vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5.

  • CVE-2023-37941MedSep 6, 2023
    risk 0.48cvss 6.6epss 0.29

    If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only…

  • CVE-2022-0749HigMar 17, 2022
    risk 0.48cvss 7.4epss 0.02

    This affects all versions of package SinGooCMS.Utility. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for…