VYPR

CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (1,721)

page 65 of 87
  • CVE-2026-24159Mar 24, 2026
    risk 0.00cvss epss 0.01

    NVIDIA NeMo Framework contains a vulnerability where an attacker may cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.

  • CVE-2026-24157Mar 24, 2026
    risk 0.00cvss epss 0.01

    NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.

  • CVE-2025-54920Mar 14, 2026
    risk 0.00cvss epss 0.05

    This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to…

  • CVE-2026-3452Mar 4, 2026
    risk 0.00cvss epss 0.01

    Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that…

  • CVE-2026-27971Mar 3, 2026
    risk 0.00cvss epss 0.05

    Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any…

  • CVE-2026-27727Feb 25, 2026
    risk 0.00cvss epss 0.01

    mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an…

  • CVE-2026-25747Feb 23, 2026
    risk 0.00cvss epss 0.01

    Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or…

  • CVE-2025-33253Feb 18, 2026
    risk 0.00cvss epss 0.00

    NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and…

  • CVE-2025-33245Feb 18, 2026
    risk 0.00cvss epss 0.01

    NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

  • CVE-2026-21531Feb 10, 2026
    risk 0.00cvss epss 0.02

    Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network.

  • CVE-2026-25632Feb 6, 2026
    risk 0.00cvss epss 0.01

    EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that…

  • CVE-2025-70560Feb 3, 2026
    risk 0.00cvss epss 0.00

    Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed…

  • CVE-2026-24765Jan 27, 2026
    risk 0.00cvss epss 0.00

    PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()`…

  • CVE-2026-24747Jan 27, 2026
    risk 0.00cvss epss 0.01

    PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt…

  • CVE-2026-24656Jan 26, 2026
    risk 0.00cvss epss 0.01

    Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed. It means that the log socket…

  • CVE-2026-23946Jan 22, 2026
    risk 0.00cvss epss 0.01

    Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote…

  • CVE-2026-23737Jan 21, 2026
    risk 0.00cvss epss 0.01

    seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via…

  • CVE-2026-23524Jan 21, 2026
    risk 0.00cvss epss 0.01

    Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves…

  • CVE-2025-68924Jan 16, 2026
    risk 0.00cvss epss 0.01

    In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution.

  • CVE-2026-21226Jan 13, 2026
    risk 0.00cvss epss 0.01

    Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.