CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 6 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-7301 | Cri | 0.64 | 9.8 | 0.00 | May 18, 2026 | SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet. | ||
| CVE-2026-31239 | Cri | 0.64 | 9.8 | 0.00 | May 12, 2026 | The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization (CWE-502) when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.from_pretrained() method uses torch.load() to load the pytorch_model.bin weight file without enabling the… | ||
| CVE-2026-31238 | Cri | 0.64 | 9.8 | 0.01 | May 12, 2026 | The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load() without enabling the security-restrictive… | ||
| CVE-2026-31237 | Cri | 0.64 | 9.8 | 0.01 | May 12, 2026 | The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) through its predict() method. When a user provides a dataset file path to the predict() method, the framework automatically determines the file format. If the file is a pickle (.pkl) file, it is… | ||
| CVE-2026-31235 | Cri | 0.64 | 9.8 | 0.00 | May 12, 2026 | The imgaug library thru 0.4.0 contains an insecure deserialization vulnerability in its BackgroundAugmenter class within the multicore.py module. The class uses Python's pickle module to deserialize data received via a multiprocessing queue in the _augment_images_worker() method… | ||
| CVE-2026-31234 | Cri | 0.64 | 9.8 | 0.01 | May 12, 2026 | Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary… | ||
| CVE-2026-31229 | Cri | 0.64 | 9.8 | 0.01 | May 12, 2026 | The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component's model loading functionality. When loading model weights from a file (e.g., model.pt) during robustness evaluation, the code uses… | ||
| CVE-2025-60889 | Cri | 0.64 | 9.8 | 0.01 | Apr 28, 2026 | Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts. | ||
| CVE-2026-40860 | Cri | 0.64 | 9.8 | 0.01 | Apr 27, 2026 | JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist.… | ||
| CVE-2026-26210 | Cri | 0.64 | 9.8 | 0.01 | Apr 23, 2026 | KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without… | ||
| CVE-2026-40044 | Cri | 0.64 | 9.8 | 0.00 | Apr 13, 2026 | Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the… | ||
| CVE-2026-4851 | Cri | 0.64 | 9.8 | 0.00 | Mar 29, 2026 | GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization. GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host… | ||
| CVE-2026-32512 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pelicula: from n/a through < 1.10. | ||
| CVE-2026-32502 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6. | ||
| CVE-2026-27095 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Object Injection.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through <= 5.6.0. | ||
| CVE-2026-27084 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allows Object Injection.This issue affects Buisson: from n/a through <= 1.1.11. | ||
| CVE-2026-27083 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in ThemeREX Work & Travel Company work-travel-company allows Object Injection.This issue affects Work & Travel Company: from n/a through <= 1.2. | ||
| CVE-2026-27082 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through <= 1.3.12. | ||
| CVE-2026-25429 | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in wpdive Nexa Blocks nexa-blocks allows Object Injection.This issue affects Nexa Blocks: from n/a through <= 1.1.1. | ||
| CVE-2026-25032 | — | Cri | 0.64 | 9.8 | 0.00 | Mar 25, 2026 | Deserialization of Untrusted Data vulnerability in park_of_ideas Ricky ricky allows Object Injection.This issue affects Ricky: from n/a through < 2.31. |
- risk 0.64cvss 9.8epss 0.00
SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet.
- risk 0.64cvss 9.8epss 0.00
The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization (CWE-502) when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.from_pretrained() method uses torch.load() to load the pytorch_model.bin weight file without enabling the…
- risk 0.64cvss 9.8epss 0.01
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load() without enabling the security-restrictive…
- risk 0.64cvss 9.8epss 0.01
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) through its predict() method. When a user provides a dataset file path to the predict() method, the framework automatically determines the file format. If the file is a pickle (.pkl) file, it is…
- risk 0.64cvss 9.8epss 0.00
The imgaug library thru 0.4.0 contains an insecure deserialization vulnerability in its BackgroundAugmenter class within the multicore.py module. The class uses Python's pickle module to deserialize data received via a multiprocessing queue in the _augment_images_worker() method…
- risk 0.64cvss 9.8epss 0.01
Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication and authorization controls, allowing any remote attacker to write arbitrary…
- risk 0.64cvss 9.8epss 0.01
The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component's model loading functionality. When loading model weights from a file (e.g., model.pt) during robustness evaluation, the code uses…
- risk 0.64cvss 9.8epss 0.01
Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts.
- risk 0.64cvss 9.8epss 0.01
JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist.…
- risk 0.64cvss 9.8epss 0.01
KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without…
- risk 0.64cvss 9.8epss 0.00
Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the…
- risk 0.64cvss 9.8epss 0.00
GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization. GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host…
- risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pelicula: from n/a through < 1.10.
- risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6.
- risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Object Injection.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through <= 5.6.0.
- risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allows Object Injection.This issue affects Buisson: from n/a through <= 1.1.11.
- risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in ThemeREX Work & Travel Company work-travel-company allows Object Injection.This issue affects Work & Travel Company: from n/a through <= 1.2.
- risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through <= 1.3.12.
- risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in wpdive Nexa Blocks nexa-blocks allows Object Injection.This issue affects Nexa Blocks: from n/a through <= 1.1.1.
- risk 0.64cvss 9.8epss 0.00
Deserialization of Untrusted Data vulnerability in park_of_ideas Ricky ricky allows Object Injection.This issue affects Ricky: from n/a through < 2.31.