CWE-502: Deserialization of Untrusted Data

This vulnerability in Jenkins Code Coverage API Plugin allows attackers to execute arbitrary code on Jenkins servers by exploiting insecure deserializ...

This vulnerability allows authenticated users to upload malicious files that can execute arbitrary code on Rundeck servers. It affects all Rundeck edi...

This vulnerability in the Bold Page Builder WordPress plugin allows attackers to perform PHP Object Injection via AJAX requests. Attackers could poten...

This vulnerability allows authenticated WordPress administrators (or users with 'aioseo_tools_settings' privilege) to execute arbitrary code on the se...

This vulnerability in the Redirection for Contact Form 7 WordPress plugin allows any authenticated user (even low-privileged subscribers) to execute P...

This vulnerability allows remote attackers to execute arbitrary code on Aruba AirWave Management Platform systems by exploiting insecure deserializati...

CVE-2020-8884 allows remote authenticated users to execute arbitrary code with SYSTEM privileges on Proofpoint Insider Threat Management Windows Agent...

CVE-2020-26165 is a PHP object injection vulnerability in qdPM project management software that allows attackers to execute arbitrary code by exploiti...

This vulnerability in Spinnaker allows authenticated attackers to execute arbitrary SpEL expressions via HTTP POST requests, enabling file read/write ...

This CVE describes a PHP object injection vulnerability in the ProductX WordPress plugin that allows attackers to execute arbitrary code through deser...

This vulnerability allows unauthenticated attackers to perform PHP object injection via deserialization of untrusted data in the QuantumCloud ChatBot ...

This CVE describes a PHP object injection vulnerability in the Asgaros Forum WordPress plugin due to insecure deserialization of untrusted data. Attac...

This vulnerability allows attackers to inject malicious serialized objects into LangChain applications by exploiting improper escaping of user-control...

This vulnerability allows attackers to inject malicious objects through untrusted data deserialization in the PDF for Elementor Forms WordPress plugin...

CVE-2025-64512 is a remote code execution vulnerability in pdfminer.six where malicious PDF files can trigger deserialization of arbitrary pickle file...

CVE-2025-43960 is a PHP Object Injection vulnerability in Adminer 4.8.1 when using Monolog for logging, allowing remote unauthenticated attackers to c...

This vulnerability allows remote attackers to cause denial of service by sending maliciously crafted QPY files to Qiskit applications. The malformed s...

This vulnerability allows arbitrary code execution through insecure deserialization in Rockwell Automation engineering software. Attackers can craft m...

A PHP object injection vulnerability in the Photography WordPress theme allows attackers to execute arbitrary code by exploiting insecure deserializat...

CVE-2025-27925 is an insecure deserialization vulnerability in Nintex Automation that allows attackers to execute arbitrary code by sending malicious ...

This CVE describes a PHP object injection vulnerability in the Page Builder: Live Composer WordPress plugin. Attackers with contributor-level access c...

CVE-2024-32876 allows arbitrary code execution in NewPipe Android app when users import malicious backup files. The vulnerability affects all users of...

This CVE describes a PHP object injection vulnerability in the ARMember WordPress plugin, allowing attackers to execute arbitrary code through deseria...

CVE-2021-39150 is a deserialization vulnerability in XStream library that allows remote attackers to access internal resources by manipulating XML inp...

Boltz 2.0.0 contains a critical insecure deserialization vulnerability that allows arbitrary code execution when loading malicious pickle files. Attac...

This vulnerability allows attackers to execute arbitrary code on ColdFusion servers by sending malicious serialized data. It affects ColdFusion 2025.4...

CVE-2025-60455 is an unsafe deserialization vulnerability in Modular Max Serve that allows remote code execution when the experimental KVCache agent f...

This vulnerability allows a local attacker to execute arbitrary code within the Greenshot screenshot utility process by sending malicious WM_COPYDATA ...

CVE-2025-54886 is a deserialization vulnerability in the skops Python library that allows arbitrary code execution when loading models. Attackers can ...

This CVE describes a deserialization vulnerability in Adobe ColdFusion that allows arbitrary code execution when untrusted data is processed. Attacker...

A deserialization mismatch vulnerability in the DSoftBus module allows attackers to manipulate serialized data to potentially execute arbitrary code o...

CVE-2024-10095 is an insecure deserialization vulnerability in Progress Telerik UI for WPF that allows remote code execution. Attackers can exploit th...

CVE-2024-49063 is a remote code execution vulnerability in Microsoft/Muzic that allows attackers to execute arbitrary code on affected systems by expl...

CVE-2021-39207 is a YAML deserialization vulnerability in the ParlAI framework that allows arbitrary code execution when processing malicious YAML fil...

CVE-2020-17144 is a remote code execution vulnerability in Microsoft Exchange Server that allows authenticated attackers to execute arbitrary code on ...

This vulnerability in Apache Hive Metastore allows authenticated users to achieve remote code execution by exploiting unsafe deserialization in partit...

CVE-2023-28782 is an unauthenticated PHP object injection vulnerability in Gravity Forms WordPress plugin that allows attackers to execute arbitrary c...

This CVE describes a PHP object injection vulnerability in the WordPress Recently Viewed Products plugin. Attackers can exploit deserialization of unt...

This CVE describes an unauthenticated PHP object injection vulnerability in the Themesflat Addons For Elementor WordPress plugin. Attackers can exploi...

CVE-2025-46183 is a deserialization vulnerability in pgCodeKeeper's Utils.deserialize function that allows remote code execution when processing malic...

This vulnerability allows attackers to execute arbitrary code on WordPress sites running the Social Media Share Buttons plugin by exploiting PHP objec...

This vulnerability allows remote attackers to execute arbitrary code via PHP object injection due to unsafe deserialization in the WpEvently WordPress...

Zumba Json Serializer versions 3.2.2 and below allow PHP Object Injection through untrusted JSON deserialization. The library's @type field can instan...

SPIP versions before 4.4.9 contain an insecure deserialization vulnerability in the public area through the table_valeur filter and DATA iterator. Att...

This vulnerability allows remote attackers to execute arbitrary code with root privileges on GPT Academic installations by exploiting insecure deseria...

This vulnerability allows remote code execution through malicious YAML input in docling-core library versions 2.21.0 to 2.48.3. Attackers can execute ...

The Nexter Extension plugin for WordPress has a PHP object injection vulnerability that allows unauthenticated attackers to inject malicious PHP objec...

The Visitor Logic Lite WordPress plugin up to version 1.0.3 contains a PHP object injection vulnerability that allows unauthenticated attackers to inj...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the TranslatePress WordPress plugin. Succ...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the TF Woo Product Grid Addon For Element...