VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 60 of 87
  • CVE-2026-8727HigMay 19, 2026
    risk 0.46cvss epss 0.00

    The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation…

  • CVE-2026-7635HigMay 13, 2026
    risk 0.46cvss 8.1epss 0.00

    The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing…

  • CVE-2026-25524HigApr 20, 2026
    risk 0.46cvss 8.1epss 0.01

    Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`,…

  • CVE-2026-32590HigApr 8, 2026
    risk 0.46cvss 7.1epss 0.00

    A flaw was found in Red Hat Quay's handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server.

  • CVE-2026-27206HigFeb 21, 2026
    risk 0.46cvss 8.1epss 0.01

    Zumba Json Serializer is a library to serialize PHP variables in JSON format. In versions 3.2.2 and below, the library allows deserialization of PHP objects from JSON using a special @type field. The deserializer instantiates any class specified in the @type field without…

  • CVE-2026-24009HigJan 22, 2026
    risk 0.46cvss 8.1epss 0.01

    Docling Core (or docling-core) is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0…

  • CVE-2025-49438HigAug 20, 2025
    risk 0.46cvss 8.1epss 0.00

    Deserialization of Untrusted Data vulnerability in Max Chirkov Simple Login Log allows Object Injection. This issue affects Simple Login Log: from n/a through 1.1.3.

  • CVE-2025-47771HigJun 20, 2025
    risk 0.46cvss epss 0.00

    PowSyBl (Power System Blocks) is a framework to build power system oriented software. In versions 6.3.0 to 6.7.1, there is a deserialization issue in the read method of the SparseMatrix class that can lead to a wide range of privilege escalations depending on the circumstances.…

  • CVE-2024-12313HigJan 7, 2025
    risk 0.46cvss 8.1epss 0.01

    The Compare Products for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.1 via deserialization of untrusted input from the 'woo_compare_list' cookie. This makes it possible for unauthenticated attackers to inject a…

  • CVE-2024-5085HigMay 23, 2024
    risk 0.46cvss 8.1epss 0.01

    The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input in the 'process_entry' function. This makes it possible for unauthenticated attackers to…

  • CVE-2023-47507HigDec 20, 2023
    risk 0.46cvss 7.1epss 0.00

    Deserialization of Untrusted Data vulnerability in Master Slider Master Slider Pro.This issue affects Master Slider Pro: from n/a through 3.6.5.

  • CVE-2023-47130HigNov 14, 2023
    risk 0.46cvss 8.1epss 0.03

    Yii is an open source PHP web framework. yiisoft/yii before version 1.1.29 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. An attacker may leverage this vulnerability to compromise the host system. A fix has been…

  • CVE-2020-10650HigDec 26, 2022
    risk 0.46cvss 8.1epss 0.03

    A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory,…

  • CVE-2022-41922HigNov 23, 2022
    risk 0.46cvss 8.1epss 0.01

    `yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Execution (RCE) if the application calls `unserialize()` on arbitrary user input. This has been patched in 1.1.27.

  • CVE-2021-41766HigJan 26, 2022
    risk 0.46cvss 8.1epss 0.02

    Apache Karaf allows monitoring of applications and the Java runtime by using the Java Management Extensions (JMX). JMX is a Java RMI based technology that relies on Java serialized objects for client server communication. Whereas the default JMX implementation is hardened…

  • CVE-2022-21647HigJan 4, 2022
    risk 0.46cvss 7.7epss 0.38

    CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the…

  • CVE-2021-41129HigOct 6, 2021
    risk 0.46cvss 8.1epss 0.02

    Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In…

  • CVE-2021-21346MedMar 23, 2021
    risk 0.46cvss 6.1epss 0.76

    XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is…

  • CVE-2021-20190HigJan 19, 2021
    risk 0.46cvss 8.1epss 0.07

    A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

  • CVE-2020-36183HigJan 7, 2021
    risk 0.46cvss 8.1epss 0.05

    FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.