CWE-502
Deserialization of Untrusted Data
Description
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-586
CVEs mapped to this weakness (1,721)
page 65 of 87| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-24159 | 0.00 | — | 0.01 | Mar 24, 2026 | NVIDIA NeMo Framework contains a vulnerability where an attacker may cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering. | |||
| CVE-2026-24157 | 0.00 | — | 0.01 | Mar 24, 2026 | NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering. | |||
| CVE-2025-54920 | — | 0.00 | — | 0.05 | Mar 14, 2026 | This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to… | ||
| CVE-2026-3452 | — | 0.00 | — | 0.01 | Mar 4, 2026 | Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that… | ||
| CVE-2026-27971 | 0.00 | — | 0.05 | Mar 3, 2026 | Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any… | |||
| CVE-2026-27727 | — | 0.00 | — | 0.01 | Feb 25, 2026 | mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an… | ||
| CVE-2026-25747 | 0.00 | — | 0.01 | Feb 23, 2026 | Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or… | |||
| CVE-2025-33253 | 0.00 | — | 0.00 | Feb 18, 2026 | NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and… | |||
| CVE-2025-33245 | 0.00 | — | 0.01 | Feb 18, 2026 | NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | |||
| CVE-2026-21531 | — | 0.00 | — | 0.02 | Feb 10, 2026 | Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network. | ||
| CVE-2026-25632 | — | 0.00 | — | 0.01 | Feb 6, 2026 | EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that… | ||
| CVE-2025-70560 | 0.00 | — | 0.00 | Feb 3, 2026 | Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed… | |||
| CVE-2026-24765 | 0.00 | — | 0.00 | Jan 27, 2026 | PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()`… | |||
| CVE-2026-24747 | 0.00 | — | 0.01 | Jan 27, 2026 | PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt… | |||
| CVE-2026-24656 | 0.00 | — | 0.01 | Jan 26, 2026 | Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed. It means that the log socket… | |||
| CVE-2026-23946 | 0.00 | — | 0.01 | Jan 22, 2026 | Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote… | |||
| CVE-2026-23737 | 0.00 | — | 0.01 | Jan 21, 2026 | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via… | |||
| CVE-2026-23524 | 0.00 | — | 0.01 | Jan 21, 2026 | Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves… | |||
| CVE-2025-68924 | — | 0.00 | — | 0.01 | Jan 16, 2026 | In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution. | ||
| CVE-2026-21226 | 0.00 | — | 0.01 | Jan 13, 2026 | Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network. |
- CVE-2026-24159Mar 24, 2026risk 0.00cvss —epss 0.01
NVIDIA NeMo Framework contains a vulnerability where an attacker may cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.
- CVE-2026-24157Mar 24, 2026risk 0.00cvss —epss 0.01
NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.
- CVE-2025-54920Mar 14, 2026risk 0.00cvss —epss 0.05
This issue affects Apache Spark: before 3.5.7 and 4.0.1. Users are recommended to upgrade to version 3.5.7 or 4.0.1 and above, which fixes the issue. Summary Apache Spark 3.5.4 and earlier versions contain a code execution vulnerability in the Spark History Web UI due to…
- CVE-2026-3452Mar 4, 2026risk 0.00cvss —epss 0.01
Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that…
- CVE-2026-27971Mar 3, 2026risk 0.00cvss —epss 0.05
Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any…
- CVE-2026-27727Feb 25, 2026risk 0.00cvss —epss 0.01
mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an…
- CVE-2026-25747Feb 23, 2026risk 0.00cvss —epss 0.01
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or…
- CVE-2025-33253Feb 18, 2026risk 0.00cvss —epss 0.00
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and…
- CVE-2025-33245Feb 18, 2026risk 0.00cvss —epss 0.01
NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
- CVE-2026-21531Feb 10, 2026risk 0.00cvss —epss 0.02
Deserialization of untrusted data in Azure SDK allows an unauthorized attacker to execute code over a network.
- CVE-2026-25632Feb 6, 2026risk 0.00cvss —epss 0.01
EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that…
- CVE-2025-70560Feb 3, 2026risk 0.00cvss —epss 0.00
Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed…
- CVE-2026-24765Jan 27, 2026risk 0.00cvss —epss 0.00
PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()`…
- CVE-2026-24747Jan 27, 2026risk 0.00cvss —epss 0.01
PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch's `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(..., weights_only=True)`, can corrupt…
- CVE-2026-24656Jan 26, 2026risk 0.00cvss —epss 0.01
Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed. It means that the log socket…
- CVE-2026-23946Jan 22, 2026risk 0.00cvss —epss 0.01
Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote…
- CVE-2026-23737Jan 21, 2026risk 0.00cvss —epss 0.01
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via…
- CVE-2026-23524Jan 21, 2026risk 0.00cvss —epss 0.01
Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves…
- CVE-2025-68924Jan 16, 2026risk 0.00cvss —epss 0.01
In Umbraco UmbracoForms through 8.13.16, an authenticated attacker can supply a malicious WSDL (aka Webservice) URL as a data source for remote code execution.
- CVE-2026-21226Jan 13, 2026risk 0.00cvss —epss 0.01
Deserialization of untrusted data in Azure Core shared client library for Python allows an authorized attacker to execute code over a network.