VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 62 of 87
  • CVE-2018-5968HigJan 22, 2018
    risk 0.46cvss 8.1epss 0.07

    FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

  • CVE-2017-4995HigNov 27, 2017
    risk 0.46cvss 8.1epss 0.03

    An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this…

  • CVE-2017-1000034HigJul 17, 2017
    risk 0.46cvss 8.1epss 0.06

    Akka versions <=2.4.16 and 2.5-M1 are vulnerable to a java deserialization attack in its Remoting component resulting in remote code execution in the context of the ActorSystem.

  • CVE-2017-10803MedJul 4, 2017
    risk 0.46cvss 6.5epss 0.04

    In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used.

  • CVE-2026-44795higJun 22, 2026
    risk 0.45cvss epss

    ### Impact There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing: * CloudFormation deployments * CloudFoundry Baking The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to…

  • CVE-2025-27511higJun 11, 2026
    risk 0.45cvss epss 0.01

    ## Summary Administrator can perform JNDI attack through specially crafted DB2 jdbc url leading to Remote Code Execution (RCE). ## Impact If GeoServer has DB2 extension installed, this vulnerability can lead to executing arbitrary code. ## Details Authenticated users can…

  • CVE-2024-4471HigMay 23, 2024
    risk 0.45cvss 8.0epss 0.01

    The 140+ Widgets | Best Addons For Elementor – FREE for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.4.3.1 via deserialization of untrusted input in the 'export_content' function. This allows authenticated attackers, with…

  • CVE-2024-29800HigMay 14, 2024
    risk 0.45cvss 8.0epss 0.00

    Deserialization of Untrusted Data vulnerability in Timber Team & Contributors Timber.This issue affects Timber: from n/a through 1.23.0.

  • CVE-2021-21604HigJan 13, 2021
    risk 0.45cvss 8.0epss 0.02

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once discarded by an administrator.

  • CVE-2020-15244HigOct 21, 2020
    risk 0.45cvss 8.0epss 0.01

    In Magento (rubygems openmage/magento-lts package) before versions 19.4.8 and 20.0.4, an admin user can generate soap credentials that can be used to trigger RCE via PHP Object Injection through product attributes and a product. The issue is patched in versions 19.4.8 and 20.0.4.

  • CVE-2019-6338HigJan 22, 2019
    risk 0.45cvss 8.0epss 0.02

    In Drupal Core versions 7.x prior to 7.62, 8.6.x prior to 8.6.6 and 8.5.x prior to 8.5.9; Drupal core uses the third-party PEAR Archive_Tar library. This library has released a security update which impacts some Drupal configurations. Refer to CVE-2018-1000888 for details

  • CVE-2026-48775MedJun 16, 2026
    risk 0.44cvss 6.8epss 0.00

    LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where…

  • CVE-2026-38950HigJun 1, 2026
    risk 0.44cvss 7.8epss 0.00

    An issue in ESA AnomalyMatch before 1.3.1 allow attackers to execute arbitrary code via crafted model checkpoint files. The affected components load model files from session directories using torch.load() with unrestricted deserialization.

  • CVE-2026-4372HigMay 24, 2026
    risk 0.44cvss 7.8epss 0.00

    A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an…

  • CVE-2026-31221HigMay 12, 2026
    risk 0.44cvss 7.8epss 0.00

    PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load()…

  • CVE-2026-40048HigApr 27, 2026
    risk 0.44cvss 7.8epss 0.00

    The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is…

  • CVE-2026-1839HigApr 7, 2026
    risk 0.44cvss 7.8epss 0.00

    A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This…

  • CVE-2026-3989HigMar 12, 2026
    risk 0.44cvss 7.8epss 0.00

    SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script.

  • CVE-2025-11157HigJan 1, 2026
    risk 0.44cvss 7.8epss 0.00

    A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(...,…

  • CVE-2025-13716HigDec 23, 2025
    risk 0.44cvss 7.8epss 0.00

    Tencent MimicMotion create_pipeline Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent MimicMotion. User interaction is required to exploit this…