CWE-502
Deserialization of Untrusted Data
BaseDraftLikelihood: Medium
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (971)
page 6 of 49| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-60233 | Cri | 0.64 | 9.8 | 0.00 | Mar 19, 2026 | Deserialization of Untrusted Data vulnerability in Themeton Zuut allows Object Injection.This issue affects Zuut: from n/a through 1.4.2. | |
| CVE-2026-25449 | Cri | 0.64 | 9.8 | 0.00 | Mar 18, 2026 | Deserialization of Untrusted Data vulnerability in shinetheme Traveler traveler allows Object Injection.This issue affects Traveler: from n/a through < 3.2.8.1. | |
| CVE-2026-3060 | Cri | 0.64 | 9.8 | 0.02 | Mar 12, 2026 | SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication. | |
| CVE-2026-3059 | Cri | 0.64 | 9.8 | 0.02 | Mar 12, 2026 | SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication. | |
| CVE-2026-2599 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | |
| CVE-2026-28105 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in ThemeREX Good Energy goodenergy allows Object Injection.This issue affects Good Energy: from n/a through <= 1.7.7. | |
| CVE-2026-28074 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in ThemeREX Pizza House pizzahouse allows Object Injection.This issue affects Pizza House: from n/a through <= 1.4.0. | |
| CVE-2026-27439 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in ThemeREX Dentario dentario allows Object Injection.This issue affects Dentario: from n/a through <= 1.5. | |
| CVE-2026-27438 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in ThemeREX Kingler kingler allows Object Injection.This issue affects Kingler: from n/a through <= 1.7. | |
| CVE-2026-27437 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in ThemeREX Tennis Club tennis-sportclub allows Object Injection.This issue affects Tennis Club: from n/a through <= 1.2.3. | |
| CVE-2026-27417 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in SeventhQueen Sweet Date sweetdate allows Object Injection.This issue affects Sweet Date: from n/a through < 4.0.1. | |
| CVE-2026-22501 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in axiomthemes Mounthood mounthood allows Object Injection.This issue affects Mounthood: from n/a through <= 1.3.2. | |
| CVE-2026-22497 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in AncoraThemes Jardi jardi allows Object Injection.This issue affects Jardi: from n/a through <= 1.7.2. | |
| CVE-2026-22475 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in axiomthemes Estate estate allows Object Injection.This issue affects Estate: from n/a through <= 1.3.4. | |
| CVE-2026-22474 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in ThemeREX Equestrian Centre equestrian-centre allows Object Injection.This issue affects Equestrian Centre: from n/a through <= 1.5. | |
| CVE-2026-22454 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in ThemeREX Solaris solaris allows Object Injection.This issue affects Solaris: from n/a through <= 2.5. | |
| CVE-2026-22453 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.This issue affects Pets Club: from n/a through <= 2.3. | |
| CVE-2026-22451 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in AncoraThemes Handyman handyman-services allows Object Injection.This issue affects Handyman: from n/a through <= 1.4.7. | |
| CVE-2026-22417 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Wedding grandwedding allows Object Injection.This issue affects Grand Wedding: from n/a through < 3.1.11. | |
| CVE-2025-54001 | Cri | 0.64 | 9.8 | 0.00 | Mar 5, 2026 | Deserialization of Untrusted Data vulnerability in ThemeREX Classter classter allows Object Injection.This issue affects Classter: from n/a through <= 2.5. |