CWE-502: Deserialization of Untrusted Data

CVE-2020-24164 is a Java deserialization vulnerability in Taoensso Nippy library versions before 2.14.2. Attackers can craft malicious payloads that e...

This vulnerability allows a local threat actor to execute arbitrary code on systems running vulnerable versions of Progress Telerik Reporting. The att...

This vulnerability allows remote attackers to execute arbitrary code through insecure deserialization in the topthink/framework PHP package. It affect...

CVE-2022-25647 is a deserialization vulnerability in Google's Gson library versions before 2.8.9. Attackers can exploit the writeReplace() method in i...

CVE-2022-21647 is a deserialization vulnerability in CodeIgniter4's old() function that allows remote attackers to inject arbitrary objects and potent...

The NVIDIA NeMo Framework vulnerability allows remote attackers to execute arbitrary code by exploiting insecure deserialization of untrusted data. Th...

CVE-2024-52306 is a remote code execution vulnerability in FileManager's Backpack admin interface where untrusted data deserialization allows attacker...

The JS Archive List WordPress plugin is vulnerable to PHP object injection through the 'included' shortcode attribute. Authenticated attackers with Co...

openITCOCKPIT Community Edition 5.3.1 and earlier contains an unsafe PHP deserialization vulnerability in changelog processing. While no current explo...

CVE-2026-24891 is an unsafe deserialization vulnerability in openITCOCKPIT monitoring tool that allows PHP Object Injection when untrusted systems can...

This vulnerability allows attackers to spoof identities or data in Microsoft Office Outlook by exploiting insecure deserialization of untrusted data. ...

CVE-2026-25614 is a PHP object injection vulnerability in Blesta billing software that allows attackers to execute arbitrary code by deserializing unt...

This vulnerability allows authenticated remote attackers to execute arbitrary code on Langflow installations by exploiting insecure deserialization in...

CVE-2026-23737 is a deserialization vulnerability in seroval library versions 1.4.0 and below that allows arbitrary JavaScript code execution. Attacke...

This vulnerability in Azure Core shared client library for Python allows deserialization of untrusted data, enabling an authorized attacker to execute...

The Live Composer WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input in the dslc_module_posts_output shortc...

This CVE describes an insecure deserialization vulnerability in the MiczFlor RPi-Jukebox-RFID project's rss-mp3.php script. Remote unauthenticated att...

An insecure deserialization vulnerability in Twittodon's download.php script allows remote, unauthenticated attackers to inject arbitrary PHP objects ...

This vulnerability allows attackers to execute arbitrary code through PHP object injection by exploiting unsafe deserialization in the PDF for Gravity...

This vulnerability allows attackers to send specially crafted HTTP requests to React Server Components Server Function endpoints, causing unsafe deser...

A pre-authentication denial of service vulnerability in React Server Components allows attackers to send specially crafted HTTP requests to Server Fun...

This CVE describes a JDBC URL injection vulnerability in DataEase data visualization platform. Attackers can inject malicious JDBC strings through the...

This vulnerability in the Redirection for Contact Form 7 WordPress plugin allows unauthenticated attackers to perform PHP object injection when specif...

The Forminator WordPress plugin is vulnerable to PHP Object Injection via deserialization of untrusted input when form submissions are deleted. This a...

CVE-2025-3857 is a denial-of-service vulnerability in Amazon.IonDotnet's RawBinaryReader class that occurs when processing malformed or truncated bina...

CVE-2025-31103 is an untrusted data deserialization vulnerability in a-blog cms that allows attackers to upload arbitrary files to the server by sendi...

This vulnerability in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin allows PHP object injection via deserialization of un...

The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to PHP object injection via unsafe deserialization in the 'replace_serialize...

This vulnerability in vLLM allows remote code execution when loading malicious model checkpoints from Hugging Face. Attackers can execute arbitrary co...

MSFM before version 2025.01.01 contains a deserialization vulnerability in its pom.xml configuration file that could allow remote code execution. This...

This vulnerability allows authenticated WordPress users with Contributor-level access or higher to perform PHP object injection via AJAX requests. Att...

This vulnerability in MediaTek modem firmware allows remote attackers to cause a system crash (denial of service) without authentication or user inter...

CVE-2024-56068 is a PHP object injection vulnerability in the WP SuperBackup WordPress plugin that allows attackers to execute arbitrary code through ...

This CVE describes a deserialization vulnerability in PlexTrac's Runbooks modules that allows attackers to inject malicious objects and write arbitrar...

CVE-2024-6960 is a Java deserialization vulnerability in the H2O machine learning platform that allows remote code execution when malicious models are...

This vulnerability allows authenticated WordPress users with contributor-level access or higher to perform PHP object injection via deserialization of...

This vulnerability in the Phlox theme's Shortcodes plugin allows authenticated WordPress users with subscriber-level access to perform PHP object inje...

The Event Monster WordPress plugin is vulnerable to PHP object injection through deserialization of untrusted input from custom meta values via shortc...

A vulnerability in Clojure versions 1.20 through 1.12.0-alpha5 allows attackers to cause denial of service (DoS) by exploiting the clojure.core$partia...

This vulnerability in the Formidable Forms WordPress plugin allows anonymous attackers to perform PHP Object Injection by exploiting insecure deserial...

CVE-2023-32513 is a PHP object injection vulnerability in the GiveWP WordPress plugin that allows attackers to execute arbitrary code through deserial...

This vulnerability allows attackers to execute arbitrary PHP code through deserialization of untrusted data in the WordPress Structured Content (JSON-...

Frigate network video recorder versions before 0.13.0 Beta 3 contain an unsafe YAML deserialization vulnerability in configuration endpoints. This all...

This vulnerability allows attackers to bypass security controls in Apache InLong by using tab characters to exploit a deserialization flaw. It affects...

This vulnerability in Apache Avro Java SDK allows attackers to cause out-of-memory conditions by sending specially crafted data during deserialization...

This vulnerability in IBM B2B Advanced Communications and IBM Multi-Enterprise Integration Gateway allows attackers to cause denial of service by dese...

This CVE describes a deserialization vulnerability in Apache InLong that allows attackers to bypass security controls and read arbitrary files. It aff...

The pgmng module in Huawei HarmonyOS and related products contains a deserialization vulnerability (CWE-502) that could allow attackers to execute arb...

DataHub's SSO authentication improperly processes id_token claims with {#sb64} prefixes, allowing unsafe Java deserialization via pac4j library. This ...

This vulnerability allows remote code execution through insecure deserialization in Cambium Networks wireless devices. Attackers can send specially cr...