CWE-502

Deserialization of Untrusted Data

BaseDraftLikelihood: Medium

Description

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Hierarchy (View 1000)

Parents

CWE-913

Children

none

Related attack patterns (CAPEC)

CAPEC-586

CVEs mapped to this weakness (971)

page 7 of 49

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2026-22384	Cri	0.64	9.8	0.00	Feb 20, 2026	Deserialization of Untrusted Data vulnerability in leafcolor Applay - Shortcodes applay-shortcodes allows Object Injection.This issue affects Applay - Shortcodes: from n/a through <= 3.7.
CVE-2025-69405	Cri	0.64	9.8	0.00	Feb 20, 2026	Deserialization of Untrusted Data vulnerability in ThemeREX Lorem Ipsum \| Books & Media Store lorem-ipsum-books-media-store allows Object Injection.This issue affects Lorem Ipsum \| Books & Media Store: from n/a through <= 1.2.11.
CVE-2025-69404	Cri	0.64	9.8	0.00	Feb 20, 2026	Deserialization of Untrusted Data vulnerability in ThemeREX Extreme Store extremestore allows Object Injection.This issue affects Extreme Store: from n/a through <= 1.5.10.
CVE-2025-69382	Cri	0.64	9.8	0.00	Feb 20, 2026	Deserialization of Untrusted Data vulnerability in themesflat Themesflat Elementor themesflat-elementor allows Object Injection.This issue affects Themesflat Elementor: from n/a through <= 1.0.1.
CVE-2025-69372	Cri	0.64	9.8	0.00	Feb 20, 2026	Deserialization of Untrusted Data vulnerability in AncoraThemes SevenHills sevenhills allows Object Injection.This issue affects SevenHills: from n/a through <= 1.6.2.
CVE-2025-69371	Cri	0.64	9.8	0.00	Feb 20, 2026	Deserialization of Untrusted Data vulnerability in AncoraThemes KindlyCare kindlycare allows Object Injection.This issue affects KindlyCare: from n/a through <= 1.6.1.
CVE-2025-69370	Cri	0.64	9.8	0.00	Feb 20, 2026	Deserialization of Untrusted Data vulnerability in ThemeGoods Capella capella allows Object Injection.This issue affects Capella: from n/a through <= 2.5.5.
CVE-2025-69329	Cri	0.64	9.8	0.00	Feb 20, 2026	Deserialization of Untrusted Data vulnerability in Jthemes Prestige prestige allows Object Injection.This issue affects Prestige: from n/a through < 1.4.1.
CVE-2025-69301	Cri	0.64	9.8	0.00	Feb 20, 2026	Deserialization of Untrusted Data vulnerability in ThemeGoods PhotoMe photome allows Object Injection.This issue affects PhotoMe: from n/a through <= 5.6.11.
CVE-2025-68541	Cri	0.64	9.8	0.00	Feb 20, 2026	Deserialization of Untrusted Data vulnerability in BoldThemes Ippsum ippsum allows Object Injection.This issue affects Ippsum: from n/a through <= 1.2.0.
CVE-2025-67997	Cri	0.64	9.8	0.00	Feb 20, 2026	Deserialization of Untrusted Data vulnerability in BoldThemes Travelicious travelicious allows Object Injection.This issue affects Travelicious: from n/a through < 1.6.7.
CVE-2025-67996	Cri	0.64	9.8	0.00	Feb 20, 2026	Deserialization of Untrusted Data vulnerability in BoldThemes Nestin nestin allows Object Injection.This issue affects Nestin: from n/a through < 1.2.6.
CVE-2025-67995	Cri	0.64	9.8	0.00	Feb 20, 2026	Deserialization of Untrusted Data vulnerability in LoftOcean PatioTime patiotime allows Object Injection.This issue affects PatioTime: from n/a through < 2.1.
CVE-2026-23549	Cri	0.64	9.8	0.00	Feb 19, 2026	Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.1.1.
CVE-2026-23542	Cri	0.64	9.8	0.00	Feb 19, 2026	Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.This issue affects Grand Restaurant: from n/a through <= 7.0.10.
CVE-2026-26221	Cri	0.64	9.8	0.01	Feb 13, 2026	Hyland OnBase contains an unauthenticated .NET Remoting exposure in the OnBase Workflow Timer Service (Hyland.Core.Workflow.NTService.exe). An attacker who can reach the service can send crafted .NET Remoting requests to default HTTP channel endpoints on TCP/8900 (e.g., TimerServiceAPI.rem and TimerServiceEvents.rem for Workflow) to trigger unsafe object unmarshalling, enabling arbitrary file read/write. By writing attacker-controlled content into web-accessible locations or chaining with other OnBase features, this can lead to remote code execution. The same primitive can be abused by supplying a UNC path to coerce outbound NTLM authentication (SMB coercion) to an attacker-controlled host.
CVE-2020-37071	Cri	0.64	9.8	0.01	Feb 3, 2026	CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download functionality with a specially crafted request.
CVE-2026-0773	Cri	0.64	9.8	0.01	Jan 23, 2026	Upsonic Cloudpickle Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Upsonic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the add_tool endpoint, which listens on TCP port 7541 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26845.
CVE-2025-69079	Cri	0.64	9.8	0.00	Jan 22, 2026	Deserialization of Untrusted Data vulnerability in ThemeREX Sound \| Musical Instruments Online Store musicplace allows Object Injection.This issue affects Sound \| Musical Instruments Online Store: from n/a through <= 1.6.9.
CVE-2025-67617	Cri	0.64	9.8	0.00	Jan 22, 2026	Deserialization of Untrusted Data vulnerability in themeton Consult Aid consultaid allows Object Injection.This issue affects Consult Aid: from n/a through <= 1.4.3.