CWE-502: Deserialization of Untrusted Data

A deserialization vulnerability in the uxper Nuss WordPress theme allows attackers to inject malicious objects by manipulating serialized data. This a...

CVE-2025-47166 is a deserialization vulnerability in Microsoft Office SharePoint that allows authenticated attackers to execute arbitrary code remotel...

This CVE describes a Java deserialization vulnerability in Apache Kafka Connect that allows authenticated operators with configuration privileges to e...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the WP Posts Carousel WordPress plugin. S...

This vulnerability in NVIDIA TensorRT-LLM allows attackers with local access to the TRTLLM server to exploit a data validation issue, potentially lead...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the Rating by BestWebSoft WordPress plugi...

A deserialization vulnerability in the Stylemix uListing WordPress plugin allows attackers to inject malicious objects by processing untrusted data. T...

A deserialization vulnerability in BizRobo! Management Console allows remote attackers to execute arbitrary code by sending maliciously crafted data. ...

A PHP object injection vulnerability in the Job Board Manager WordPress plugin allows attackers to execute arbitrary code through deserialization of u...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the WpTravelly WordPress plugin. Successf...

Welcart e-Commerce versions 2.11.6 and earlier contain an untrusted data deserialization vulnerability that allows remote unauthenticated attackers to...

This vulnerability in Jooby's pac4j SessionStoreImpl module allows remote code execution through insecure deserialization of untrusted session data. A...

The ProfileGrid WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input, allowing authenticated attackers with S...

This vulnerability allows remote code execution (RCE) for domain users in Veeam Backup & Replication. Attackers can execute arbitrary code with domain...

This vulnerability allows remote attackers to execute arbitrary commands on systems running vulnerable versions of binary-husky/gpt_academic by exploi...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the Booking and Rental Manager WordPress ...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the Events Calendar for GeoDirectory Word...

IBM Cognos Controller and IBM Controller contain an unrestricted deserialization vulnerability that allows authenticated users to execute arbitrary co...

This vulnerability allows authenticated users to execute arbitrary code on Trimble Cityworks servers via deserialization attacks. It affects organizat...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the Taxi Booking Manager for WooCommerce ...

This vulnerability allows attackers on the local network to execute arbitrary code on IBM Sterling B2B Integrator systems by exploiting insecure deser...

The String Locator WordPress plugin is vulnerable to PHP object injection through deserialization of untrusted input, allowing unauthenticated attacke...

SuiteCRM 7.12.7 contains an authenticated file upload vulnerability that allows authenticated users to upload malicious files. When combined with inse...

CVE-2024-55555 is an unauthenticated remote code execution vulnerability in Invoice Ninja that allows attackers who know the APP_KEY to execute arbitr...

The UpdraftPlus WordPress backup plugin contains a PHP object injection vulnerability in versions 1.23.8 through 1.24.11. Unauthenticated attackers ca...

The Backup Migration plugin for WordPress is vulnerable to PHP object injection via insecure deserialization, allowing unauthenticated attackers to ex...

This vulnerability allows authenticated remote attackers to execute arbitrary code with SYSTEM privileges on GFI Archiver installations. The flaw exis...

This vulnerability allows low-privileged users without admin or power roles to execute arbitrary code remotely on affected Splunk systems. It affects ...

The Gallery WordPress plugin up to version 1.3 contains a PHP object injection vulnerability via the wd_gallery_$id parameter. This allows authenticat...

This vulnerability allows authenticated WordPress users with Contributor-level access or higher to perform PHP object injection via deserialization of...

This vulnerability allows remote attackers to execute arbitrary code by tricking users into loading malicious model files in Hugging Face Transformers...

This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable versions of Hugging Face Transformers with MobileVi...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the QRMenu Restaurant QR Menu Lite WordPr...

The WPvivid WordPress plugin is vulnerable to PHP object injection via insecure deserialization in staging site functions. Unauthenticated attackers c...

This vulnerability allows attackers to inject malicious objects through untrusted data deserialization in the WPC Shop as a Customer for WooCommerce W...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the Free Stock Photos Foter WordPress plu...

In Splunk Enterprise for Windows, low-privileged users without admin or power roles can achieve remote code execution due to insecure session storage....

The Unseen Blog WordPress theme is vulnerable to PHP Object Injection through deserialization of untrusted input. This allows authenticated attackers ...

The UltraPress WordPress theme is vulnerable to PHP object injection through deserialization of untrusted input. This allows authenticated attackers w...

This vulnerability allows authenticated attackers with Author-level WordPress access to perform PHP object injection via deserialization of untrusted ...

This vulnerability allows authorized attackers to execute arbitrary code on Apache HertzBeat servers by exploiting insecure deserialization in SnakeYa...

CVE-2024-45852 is a deserialization vulnerability in MindsDB that allows remote code execution when malicious models are uploaded. Attackers can execu...

This vulnerability allows remote attackers to execute arbitrary code on Microsoft SharePoint Server by exploiting insecure deserialization. It affects...

This vulnerability allows remote code execution through unsafe YAML deserialization in the Kubernetes plugin of the Samson deployment tool. Attackers ...

The Flipbox Builder WordPress plugin is vulnerable to PHP Object Injection via insecure deserialization, allowing authenticated attackers with Contrib...

This vulnerability allows authenticated attackers to execute arbitrary code on Apache Linkis servers by exploiting Java deserialization when adding My...

The Photo Video Gallery Master WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input in the 'PVGM_all_photos_d...

This vulnerability allows remote code execution through insecure deserialization in NukeViet and NukeViet-eGov admin interfaces. Attackers can exploit...

This vulnerability in MLflow allows remote code execution when users interact with maliciously uploaded Langchain AgentExecutor models. Attackers can ...

This vulnerability in MLflow allows remote code execution when deserializing untrusted data from malicious Recipes. It affects MLflow versions 1.27.0 ...