VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 6 of 87
  • CVE-2026-7301CriMay 18, 2026
    risk 0.64cvss 9.8epss 0.00

    SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.

  • CVE-2026-31239CriMay 12, 2026
    risk 0.64cvss 9.8epss 0.00

    The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization (CWE-502) when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.from_pretrained() method uses torch.load() to load the pytorch_model.bin weight file without enabling the…

  • CVE-2026-31238CriMay 12, 2026
    risk 0.64cvss 9.8epss 0.01

    The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load() without enabling the security-restrictive…

  • CVE-2026-31237CriMay 12, 2026
    risk 0.64cvss 9.8epss 0.01

    The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) through its predict() method. When a user provides a dataset file path to the predict() method, the framework automatically determines the file format. If the file is a pickle (.pkl) file, it is…

  • CVE-2026-31235CriMay 12, 2026
    risk 0.64cvss 9.8epss 0.00

    The imgaug library thru 0.4.0 contains an insecure deserialization vulnerability in its BackgroundAugmenter class within the multicore.py module. The class uses Python's pickle module to deserialize data received via a multiprocessing queue in the _augment_images_worker() method…

  • CVE-2026-31234CriMay 12, 2026
    risk 0.64cvss 9.8epss 0.01

    Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary…

  • CVE-2026-31229CriMay 12, 2026
    risk 0.64cvss 9.8epss 0.01

    The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component's model loading functionality. When loading model weights from a file (e.g., model.pt) during robustness evaluation, the code uses…

  • CVE-2025-60889CriApr 28, 2026
    risk 0.64cvss 9.8epss 0.01

    Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts.

  • CVE-2026-40860CriApr 27, 2026
    risk 0.64cvss 9.8epss 0.01

    JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist.…

  • CVE-2026-26210CriApr 23, 2026
    risk 0.64cvss 9.8epss 0.01

    KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without…

  • CVE-2026-40044CriApr 13, 2026
    risk 0.64cvss 9.8epss 0.00

    Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the…

  • CVE-2026-4851CriMar 29, 2026
    risk 0.64cvss 9.8epss 0.00

    GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization. GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host…

  • CVE-2026-32512CriMar 25, 2026
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pelicula: from n/a through < 1.10.

  • CVE-2026-32502CriMar 25, 2026
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6.

  • CVE-2026-27095CriMar 25, 2026
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Object Injection.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through <= 5.6.0.

  • CVE-2026-27084CriMar 25, 2026
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allows Object Injection.This issue affects Buisson: from n/a through <= 1.1.11.

  • CVE-2026-27083CriMar 25, 2026
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in ThemeREX Work & Travel Company work-travel-company allows Object Injection.This issue affects Work & Travel Company: from n/a through <= 1.2.

  • CVE-2026-27082CriMar 25, 2026
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through <= 1.3.12.

  • CVE-2026-25429CriMar 25, 2026
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in wpdive Nexa Blocks nexa-blocks allows Object Injection.This issue affects Nexa Blocks: from n/a through <= 1.1.1.

  • CVE-2026-25032CriMar 25, 2026
    risk 0.64cvss 9.8epss 0.00

    Deserialization of Untrusted Data vulnerability in park_of_ideas Ricky ricky allows Object Injection.This issue affects Ricky: from n/a through < 2.31.