VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 56 of 87
  • CVE-2021-39207HigSep 10, 2021
    risk 0.48cvss 8.4epss 0.02

    parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is…

  • CVE-2021-29505HigMay 28, 2021
    risk 0.48cvss 7.5epss 0.78

    XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the…

  • CVE-2017-1677HigMar 22, 2018
    risk 0.48cvss 7.4epss 0.01

    IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on the classpath. IBM X-Force ID: 133999.

  • CVE-2016-4385HigSep 29, 2016
    risk 0.48cvss 7.3epss 0.04

    The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils…

  • CVE-2026-39499HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    Shop manager PHP Object Injection in Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19 versions.

  • CVE-2026-39498HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    Shop manager PHP Object Injection in YayMail <= 4.3.3 versions.

  • CVE-2026-39481HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions.

  • CVE-2026-39472HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions.

  • CVE-2026-39471HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.

  • CVE-2026-39434HigJun 15, 2026
    risk 0.47cvss 7.2epss 0.00

    Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions.

  • CVE-2026-40993HigJun 10, 2026
    risk 0.47cvss 7.3epss 0.00

    An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials…

  • CVE-2026-37579HigMay 28, 2026
    risk 0.47cvss 7.3epss 0.00

    An issue in SMSGate sms-core<=2.1.13.6 allows a remote attacker to execute arbitrary code via the Cmpp7FDeliverRequestMessageCodec.java component

  • CVE-2026-8751HigMay 17, 2026
    risk 0.47cvss 7.3epss 0.00

    A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing a manipulation results in deserialization. The attack is possible to be carried…

  • CVE-2026-39467HigApr 21, 2026
    risk 0.47cvss 7.2epss 0.00

    Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider allows Object Injection.This issue affects Responsive Slider by MetaSlider: from n/a through 3.106.0.

  • CVE-2026-24156HigApr 7, 2026
    risk 0.47cvss 7.3epss 0.00

    NVIDIA DALI contains a vulnerability where an attacker could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to arbitrary code execution.

  • CVE-2026-5536HigApr 5, 2026
    risk 0.47cvss 7.3epss 0.00

    A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the function sendMessage of the file grpc_server.py of the component gRPC server. Executing a manipulation can lead to deserialization. The attack may be performed from remote. The vendor was contacted…

  • CVE-2026-33725HigMar 27, 2026
    risk 0.47cvss 7.2epss 0.01

    Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution (RCE) and…

  • CVE-2026-4860HigMar 26, 2026
    risk 0.47cvss 7.3epss 0.00

    A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. This affects the function GenericFastJsonRedisSerializer of the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisTemplateConfig.java of the component API Endpoint. The manipulation results in…

  • CVE-2026-3328HigMar 26, 2026
    risk 0.47cvss 7.2epss 0.01

    The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without…

  • CVE-2026-22480HigMar 25, 2026
    risk 0.47cvss 7.2epss 0.01

    Deserialization of Untrusted Data vulnerability in WebToffee Product Feed for WooCommerce webtoffee-product-feed allows Object Injection.This issue affects Product Feed for WooCommerce: from n/a through <= 2.3.3.