CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 55 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-12679 | Hig | 0.49 | 7.5 | 0.01 | Apr 2, 2019 | The Serialize.deserialize() method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, example collect CoAP server and client) when they receive crafted CoAP… | ||
| CVE-2018-10911 | Hig | 0.49 | 7.5 | 0.03 | Sep 4, 2018 | A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value. | ||
| CVE-2018-1310 | Hig | 0.49 | 7.5 | 0.03 | May 23, 2018 | Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache… | ||
| CVE-2018-7529 | Hig | 0.49 | 7.5 | 0.02 | Mar 14, 2018 | A Deserialization of Untrusted Data issue was discovered in OSIsoft PI Data Archive versions 2017 and prior. Unauthenticated users may modify deserialized data to send custom requests that crash the server. | ||
| CVE-2017-1000195 | Hig | 0.49 | 7.5 | 0.02 | Nov 17, 2017 | October CMS build 412 is vulnerable to PHP object injection in asset move functionality resulting in ability to delete files limited by file permissions on the server. | ||
| CVE-2017-9844 | Hig | 0.49 | 7.5 | 0.06 | Jul 12, 2017 | SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804. NOTE: The vendor states that the devserver package of… | ||
| CVE-2017-11143 | Hig | 0.49 | 7.5 | 0.07 | Jul 10, 2017 | In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c. | ||
| CVE-2017-8804 | Hig | 0.49 | 7.5 | 0.08 | May 7, 2017 | The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used)… | ||
| CVE-2016-4483 | Hig | 0.49 | 7.5 | 0.06 | Apr 11, 2017 | The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate… | ||
| CVE-2026-37552 | Hig | 0.48 | 8.4 | 0.00 | May 1, 2026 | Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via call_user_func(). No authentication or signature… | ||
| CVE-2025-54886 | Hig | 0.48 | 8.4 | 0.00 | Aug 8, 2025 | skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.get_model does not contain any logic to prevent arbitrary code execution. The Card.get_model function supports both joblib and skops for model… | ||
| CVE-2025-3425 | Hig | 0.48 | — | 0.00 | Apr 7, 2025 | The IntelliSpace portal application utilizes .NET Remoting for its functionality. The vulnerability arises from the exploitation of port 755 through the deserialization vulnerability. After analyzing the configuration files, we observed that the server had set the… | ||
| CVE-2025-22510 | Hig | 0.48 | 7.2 | 0.01 | Jan 9, 2025 | Deserialization of Untrusted Data vulnerability in kkarpieszuk WC Price History for Omnibus wc-price-history allows Object Injection.This issue affects WC Price History for Omnibus: from n/a through <= 2.1.4. | ||
| CVE-2024-35780 | Hig | 0.48 | 8.5 | 0.00 | Jun 19, 2024 | Deserialization of Untrusted Data vulnerability in Live Composer Team Page Builder: Live Composer.This issue affects Page Builder: Live Composer: from n/a through 1.5.42. | ||
| CVE-2024-32876 | Hig | 0.48 | 8.5 | 0.00 | Apr 24, 2024 | NewPipe is an Android app for video streaming written in Java. It supports exporting and importing backups, as a way to let users move their data to a new device effortlessly. However, in versions 0.13.4 through 0.26.1, importing a backup file from an untrusted source could have… | ||
| CVE-2024-3054 | Hig | 0.48 | 7.2 | 0.42 | Apr 12, 2024 | WPvivid Backup & Migration Plugin for WordPress is vulnerable to PHAR Deserialization in all versions up to, and including, 0.9.99 via deserialization of untrusted input at the wpvividstg_get_custom_exclude_path_free action. This is due to the plugin not providing sufficient… | ||
| CVE-2023-27459 | Hig | 0.48 | 7.4 | 0.01 | Mar 26, 2024 | Deserialization of Untrusted Data vulnerability in WPEverest User Registration.This issue affects User Registration: from n/a through 2.3.2.1. | ||
| CVE-2023-46147 | Hig | 0.48 | 7.4 | 0.00 | Dec 20, 2023 | Deserialization of Untrusted Data vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5. | ||
| CVE-2023-37941 | Med | 0.48 | 6.6 | 0.29 | Sep 6, 2023 | If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only… | ||
| CVE-2022-0749 | Hig | 0.48 | 7.4 | 0.02 | Mar 17, 2022 | This affects all versions of package SinGooCMS.Utility. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for… |
- risk 0.49cvss 7.5epss 0.01
The Serialize.deserialize() method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, example collect CoAP server and client) when they receive crafted CoAP…
- risk 0.49cvss 7.5epss 0.03
A flaw was found in the way dic_unserialize function of glusterfs does not handle negative key length values. An attacker could use this flaw to read memory from other locations into the stored dict value.
- risk 0.49cvss 7.5epss 0.03
Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15.3 was applied on the Apache…
- risk 0.49cvss 7.5epss 0.02
A Deserialization of Untrusted Data issue was discovered in OSIsoft PI Data Archive versions 2017 and prior. Unauthenticated users may modify deserialized data to send custom requests that crash the server.
- risk 0.49cvss 7.5epss 0.02
October CMS build 412 is vulnerable to PHP object injection in asset move functionality resulting in ability to delete files limited by file permissions on the server.
- risk 0.49cvss 7.5epss 0.06
SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object in a request to metadatauploader, aka SAP Security Note 2399804. NOTE: The vendor states that the devserver package of…
- risk 0.49cvss 7.5epss 0.07
In PHP before 5.6.31, an invalid free in the WDDX deserialization of boolean parameters could be used by attackers able to inject XML for deserialization to crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.
- risk 0.49cvss 7.5epss 0.08
The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used)…
- risk 0.49cvss 7.5epss 0.06
The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate…
- risk 0.48cvss 8.4epss 0.00
Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to Opis\Closure\unserialize(), then executes the result via call_user_func(). No authentication or signature…
- risk 0.48cvss 8.4epss 0.00
skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.get_model does not contain any logic to prevent arbitrary code execution. The Card.get_model function supports both joblib and skops for model…
- risk 0.48cvss —epss 0.00
The IntelliSpace portal application utilizes .NET Remoting for its functionality. The vulnerability arises from the exploitation of port 755 through the deserialization vulnerability. After analyzing the configuration files, we observed that the server had set the…
- risk 0.48cvss 7.2epss 0.01
Deserialization of Untrusted Data vulnerability in kkarpieszuk WC Price History for Omnibus wc-price-history allows Object Injection.This issue affects WC Price History for Omnibus: from n/a through <= 2.1.4.
- risk 0.48cvss 8.5epss 0.00
Deserialization of Untrusted Data vulnerability in Live Composer Team Page Builder: Live Composer.This issue affects Page Builder: Live Composer: from n/a through 1.5.42.
- risk 0.48cvss 8.5epss 0.00
NewPipe is an Android app for video streaming written in Java. It supports exporting and importing backups, as a way to let users move their data to a new device effortlessly. However, in versions 0.13.4 through 0.26.1, importing a backup file from an untrusted source could have…
- risk 0.48cvss 7.2epss 0.42
WPvivid Backup & Migration Plugin for WordPress is vulnerable to PHAR Deserialization in all versions up to, and including, 0.9.99 via deserialization of untrusted input at the wpvividstg_get_custom_exclude_path_free action. This is due to the plugin not providing sufficient…
- risk 0.48cvss 7.4epss 0.01
Deserialization of Untrusted Data vulnerability in WPEverest User Registration.This issue affects User Registration: from n/a through 2.3.2.1.
- risk 0.48cvss 7.4epss 0.00
Deserialization of Untrusted Data vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5.
- risk 0.48cvss 6.6epss 0.29
If an attacker gains write access to the Apache Superset metadata database, they could persist a specifically crafted Python object that may lead to remote code execution on Superset's web backend. The Superset metadata db is an 'internal' component that is typically only…
- risk 0.48cvss 7.4epss 0.02
This affects all versions of package SinGooCMS.Utility. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appropriate restrictions or type bindings for…