CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 63 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-13715 | Hig | 0.44 | 7.8 | 0.00 | Dec 23, 2025 | Tencent FaceDetection-DSFD resnet Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent FaceDetection-DSFD. User interaction is required to exploit this… | ||
| CVE-2025-13714 | Hig | 0.44 | 7.8 | 0.00 | Dec 23, 2025 | Tencent MedicalNet generate_model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent MedicalNet. User interaction is required to exploit this… | ||
| CVE-2025-13713 | Hig | 0.44 | 7.8 | 0.00 | Dec 23, 2025 | Tencent Hunyuan3D-1 load_pretrained Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent Hunyuan3D-1. User interaction is required to exploit this… | ||
| CVE-2025-13712 | Hig | 0.44 | 7.8 | 0.00 | Dec 23, 2025 | Tencent HunyuanDiT merge Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanDiT. User interaction is required to exploit this vulnerability in… | ||
| CVE-2025-13710 | Hig | 0.44 | 7.8 | 0.00 | Dec 23, 2025 | Tencent HunyuanVideo load_vae Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanVideo. User interaction is required to exploit this vulnerability… | ||
| CVE-2025-13708 | Hig | 0.44 | 7.8 | 0.00 | Dec 23, 2025 | Tencent NeuralNLP-NeuralClassifier _load_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent NeuralNLP-NeuralClassifier. User interaction is… | ||
| CVE-2025-13707 | Hig | 0.44 | 7.8 | 0.00 | Dec 23, 2025 | Tencent HunyuanDiT model_resume Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanDiT. User interaction is required to exploit this vulnerability… | ||
| CVE-2025-13706 | Hig | 0.44 | 7.8 | 0.00 | Dec 23, 2025 | Tencent PatrickStar merge_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent PatrickStar. User interaction is required to exploit this… | ||
| CVE-2024-0140 | Med | 0.44 | 6.8 | 0.00 | Jan 28, 2025 | NVIDIA RAPIDS contains a vulnerability in cuDF and cuML, where a user could cause a deserialization of untrusted data issue. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, and information disclosure. | ||
| CVE-2024-34072 | Hig | 0.44 | 7.8 | 0.00 | May 3, 2024 | sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. The sagemaker.base_deserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is passed as pickled object arrays.… | ||
| CVE-2023-7018 | — | Hig | 0.44 | 7.8 | 0.01 | Dec 20, 2023 | Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36. | |
| CVE-2022-25647 | Hig | 0.44 | 7.7 | 0.12 | May 1, 2022 | The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. | ||
| CVE-2021-4118 | Hig | 0.44 | 7.8 | 0.01 | Dec 23, 2021 | pytorch-lightning is vulnerable to Deserialization of Untrusted Data | ||
| CVE-2021-25738 | — | Med | 0.44 | 6.7 | 0.00 | Oct 11, 2021 | Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution. | |
| CVE-2020-24164 | — | Hig | 0.44 | 7.8 | 0.01 | Sep 11, 2020 | A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java… | |
| CVE-2013-7489 | — | Med | 0.44 | 6.8 | 0.01 | Jun 26, 2020 | The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution. | |
| CVE-2019-12086 | — | Hig | 0.44 | 7.5 | 0.22 | May 17, 2019 | A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the… | |
| CVE-2018-1000167 | — | Hig | 0.44 | 7.8 | 0.04 | Apr 18, 2018 | OISF suricata-update version 1.0.0a1 contains an Insecure Deserialization vulnerability in the insecure yaml.load-Function as used in the following files: config.py:136, config.py:142, sources.py:99 and sources.py:131. The "list-sources"-command is affected by this bug. that can… | |
| CVE-2018-1000074 | — | Hig | 0.44 | 7.8 | 0.03 | Mar 13, 2018 | RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can… | |
| CVE-2026-7566 | Med | 0.43 | 6.6 | 0.00 | Jun 6, 2026 | The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and… |
- risk 0.44cvss 7.8epss 0.00
Tencent FaceDetection-DSFD resnet Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent FaceDetection-DSFD. User interaction is required to exploit this…
- risk 0.44cvss 7.8epss 0.00
Tencent MedicalNet generate_model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent MedicalNet. User interaction is required to exploit this…
- risk 0.44cvss 7.8epss 0.00
Tencent Hunyuan3D-1 load_pretrained Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent Hunyuan3D-1. User interaction is required to exploit this…
- risk 0.44cvss 7.8epss 0.00
Tencent HunyuanDiT merge Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanDiT. User interaction is required to exploit this vulnerability in…
- risk 0.44cvss 7.8epss 0.00
Tencent HunyuanVideo load_vae Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanVideo. User interaction is required to exploit this vulnerability…
- risk 0.44cvss 7.8epss 0.00
Tencent NeuralNLP-NeuralClassifier _load_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent NeuralNLP-NeuralClassifier. User interaction is…
- risk 0.44cvss 7.8epss 0.00
Tencent HunyuanDiT model_resume Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent HunyuanDiT. User interaction is required to exploit this vulnerability…
- risk 0.44cvss 7.8epss 0.00
Tencent PatrickStar merge_checkpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent PatrickStar. User interaction is required to exploit this…
- risk 0.44cvss 6.8epss 0.00
NVIDIA RAPIDS contains a vulnerability in cuDF and cuML, where a user could cause a deserialization of untrusted data issue. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, and information disclosure.
- risk 0.44cvss 7.8epss 0.00
sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. The sagemaker.base_deserializers.NumpyDeserializer module before v2.218.0 allows potentially unsafe deserialization when untrusted data is passed as pickled object arrays.…
- risk 0.44cvss 7.8epss 0.01
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
- risk 0.44cvss 7.7epss 0.12
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
- risk 0.44cvss 7.8epss 0.01
pytorch-lightning is vulnerable to Deserialization of Untrusted Data
- risk 0.44cvss 6.7epss 0.00
Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.
- risk 0.44cvss 7.8epss 0.01
A deserialization flaw is present in Taoensso Nippy before 2.14.2. In some circumstances, it is possible for an attacker to create a malicious payload that, when deserialized, will allow arbitrary code to be executed. This occurs because there is automatic use of the Java…
- risk 0.44cvss 6.8epss 0.01
The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.
- risk 0.44cvss 7.5epss 0.22
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the…
- risk 0.44cvss 7.8epss 0.04
OISF suricata-update version 1.0.0a1 contains an Insecure Deserialization vulnerability in the insecure yaml.load-Function as used in the following files: config.py:136, config.py:142, sources.py:99 and sources.py:131. The "list-sources"-command is affected by this bug. that can…
- risk 0.44cvss 7.8epss 0.03
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can…
- risk 0.43cvss 6.6epss 0.00
The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and…