CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 56 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-39207 | Hig | 0.48 | 8.4 | 0.02 | Sep 10, 2021 | parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is… | ||
| CVE-2021-29505 | Hig | 0.48 | 7.5 | 0.78 | May 28, 2021 | XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the… | ||
| CVE-2017-1677 | Hig | 0.48 | 7.4 | 0.01 | Mar 22, 2018 | IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on the classpath. IBM X-Force ID: 133999. | ||
| CVE-2016-4385 | Hig | 0.48 | 7.3 | 0.04 | Sep 29, 2016 | The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils… | ||
| CVE-2026-39499 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Shop manager PHP Object Injection in Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19 versions. | ||
| CVE-2026-39498 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Shop manager PHP Object Injection in YayMail <= 4.3.3 versions. | ||
| CVE-2026-39481 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions. | ||
| CVE-2026-39472 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions. | ||
| CVE-2026-39471 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions. | ||
| CVE-2026-39434 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions. | ||
| CVE-2026-40993 | Hig | 0.47 | 7.3 | 0.00 | Jun 10, 2026 | An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials… | ||
| CVE-2026-37579 | Hig | 0.47 | 7.3 | 0.00 | May 28, 2026 | An issue in SMSGate sms-core<=2.1.13.6 allows a remote attacker to execute arbitrary code via the Cmpp7FDeliverRequestMessageCodec.java component | ||
| CVE-2026-8751 | Hig | 0.47 | 7.3 | 0.00 | May 17, 2026 | A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing a manipulation results in deserialization. The attack is possible to be carried… | ||
| CVE-2026-39467 | Hig | 0.47 | 7.2 | 0.00 | Apr 21, 2026 | Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider allows Object Injection.This issue affects Responsive Slider by MetaSlider: from n/a through 3.106.0. | ||
| CVE-2026-24156 | Hig | 0.47 | 7.3 | 0.00 | Apr 7, 2026 | NVIDIA DALI contains a vulnerability where an attacker could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to arbitrary code execution. | ||
| CVE-2026-5536 | Hig | 0.47 | 7.3 | 0.00 | Apr 5, 2026 | A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the function sendMessage of the file grpc_server.py of the component gRPC server. Executing a manipulation can lead to deserialization. The attack may be performed from remote. The vendor was contacted… | ||
| CVE-2026-33725 | Hig | 0.47 | 7.2 | 0.01 | Mar 27, 2026 | Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution (RCE) and… | ||
| CVE-2026-4860 | — | Hig | 0.47 | 7.3 | 0.00 | Mar 26, 2026 | A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. This affects the function GenericFastJsonRedisSerializer of the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisTemplateConfig.java of the component API Endpoint. The manipulation results in… | |
| CVE-2026-3328 | Hig | 0.47 | 7.2 | 0.01 | Mar 26, 2026 | The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without… | ||
| CVE-2026-22480 | Hig | 0.47 | 7.2 | 0.01 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in WebToffee Product Feed for WooCommerce webtoffee-product-feed allows Object Injection.This issue affects Product Feed for WooCommerce: from n/a through <= 2.3.3. |
- risk 0.48cvss 8.4epss 0.02
parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is…
- risk 0.48cvss 7.5epss 0.78
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the…
- risk 0.48cvss 7.4epss 0.01
IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on the classpath. IBM X-Force ID: 133999.
- risk 0.48cvss 7.3epss 0.04
The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils…
- risk 0.47cvss 7.2epss 0.00
Shop manager PHP Object Injection in Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19 versions.
- risk 0.47cvss 7.2epss 0.00
Shop manager PHP Object Injection in YayMail <= 4.3.3 versions.
- risk 0.47cvss 7.2epss 0.00
Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions.
- risk 0.47cvss 7.2epss 0.00
Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions.
- risk 0.47cvss 7.2epss 0.00
Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.
- risk 0.47cvss 7.2epss 0.00
Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions.
- risk 0.47cvss 7.3epss 0.00
An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials…
- risk 0.47cvss 7.3epss 0.00
An issue in SMSGate sms-core<=2.1.13.6 allows a remote attacker to execute arbitrary code via the Cmpp7FDeliverRequestMessageCodec.java component
- risk 0.47cvss 7.3epss 0.00
A security flaw has been discovered in h2oai h2o-3 up to 7402. This affects the function importBinaryModel of the file h2o-core/src/main/java/hex/Model.java of the component JAR Handler. Performing a manipulation results in deserialization. The attack is possible to be carried…
- risk 0.47cvss 7.2epss 0.00
Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider allows Object Injection.This issue affects Responsive Slider by MetaSlider: from n/a through 3.106.0.
- risk 0.47cvss 7.3epss 0.00
NVIDIA DALI contains a vulnerability where an attacker could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to arbitrary code execution.
- risk 0.47cvss 7.3epss 0.00
A weakness has been identified in FedML-AI FedML up to 0.8.9. Affected is the function sendMessage of the file grpc_server.py of the component gRPC server. Executing a manipulation can lead to deserialization. The attack may be performed from remote. The vendor was contacted…
- risk 0.47cvss 7.2epss 0.01
Metabase is an open source business intelligence and embedded analytics tool. In Metabase Enterprise prior to versions 1.54.22, 1.55.22, 1.56.22, 1.57.16, 1.58.10, and 1.59.4, authenticated admins on Metabase Enterprise Edition can achieve Remote Code Execution (RCE) and…
- risk 0.47cvss 7.3epss 0.00
A security flaw has been discovered in 648540858 wvp-GB28181-pro up to 2.7.4. This affects the function GenericFastJsonRedisSerializer of the file src/main/java/com/genersoft/iot/vmp/conf/redis/RedisTemplateConfig.java of the component API Endpoint. The manipulation results in…
- risk 0.47cvss 7.2epss 0.01
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without…
- risk 0.47cvss 7.2epss 0.01
Deserialization of Untrusted Data vulnerability in WebToffee Product Feed for WooCommerce webtoffee-product-feed allows Object Injection.This issue affects Product Feed for WooCommerce: from n/a through <= 2.3.3.