CWE-502: Deserialization of Untrusted Data

This vulnerability in the giuliopanda ADFO WordPress plugin allows attackers to inject malicious objects through deserialization of untrusted data. It...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the NHR Options Table Manager WordPress p...

The Mambo Importer WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input, allowing authenticated administrator...

The WP All Import Pro plugin for WordPress is vulnerable to PHP object injection through deserialization of untrusted import files. This allows authen...

This vulnerability allows authenticated attackers with Shop Manager or higher privileges to perform PHP object injection via the 'frs_woo_product_tabs...

The AI Power: Complete AI Pack WordPress plugin up to version 1.8.96 contains a PHP object injection vulnerability that allows authenticated administr...

This vulnerability allows authenticated WordPress administrators to perform PHP object injection through the 'AI Power: Complete AI Pack' plugin. Atta...

This CVE describes a PHP object injection vulnerability in the WC Price History for Omnibus WordPress plugin, allowing attackers to execute arbitrary ...

The Custom Product Tabs for WooCommerce WordPress plugin is vulnerable to PHP object injection via insecure deserialization of the 'yikes_woo_products...

This vulnerability allows authenticated attackers with Shop Manager or higher privileges to perform PHP object injection via the 'wb_custom_tabs' para...

This vulnerability allows attackers to inject malicious PHP objects through untrusted data deserialization in the WP Mega Menu WordPress plugin. Succe...

This vulnerability allows authenticated remote attackers to execute arbitrary code on affected Allegra installations by exploiting a deserialization f...

The Grid View Gallery WordPress plugin is vulnerable to PHP object injection through deserialization of untrusted input. This allows authenticated att...

This CVE describes a PHP object injection vulnerability in the WordPress plugin 'Backup and Staging by WP Time Capsule' due to unsafe deserialization ...

This vulnerability in the Rank Math SEO WordPress plugin allows authenticated attackers with Administrator privileges to perform PHP object injection ...

This vulnerability in the WP Editor WordPress plugin allows authenticated attackers with administrative privileges to execute arbitrary PHP code via d...

The Theme Editor WordPress plugin (versions ≤2.8) contains a PHP object injection vulnerability via the 'images_array' parameter. Authenticated atta...

The Simple Job Board WordPress plugin is vulnerable to PHP object injection through deserialization of untrusted input when editing job applications. ...

The News Flash WordPress theme is vulnerable to PHP object injection through deserialization of untrusted input in the newsflash_post_meta value. This...

This vulnerability allows remote attackers to execute arbitrary code on Microsoft SharePoint Server by exploiting insecure deserialization. It affects...

CVE-2024-30044 is a remote code execution vulnerability in Microsoft SharePoint Server that allows authenticated attackers to execute arbitrary code o...

The WPvivid Backup & Migration WordPress plugin is vulnerable to PHAR deserialization, allowing authenticated attackers with admin access to potential...

This vulnerability in the Weaver Xtreme Theme Support WordPress plugin allows authenticated attackers with high privileges to execute arbitrary PHP co...

This CVE describes a deserialization vulnerability in VMware Aria Operations that allows authenticated administrators to execute arbitrary commands on...

This vulnerability in the Customizer Export/Import WordPress plugin allows authenticated administrators to perform PHP Object Injection by exploiting ...

The SEOPress WordPress plugin before version 6.5.0.3 contains a PHP Object Injection vulnerability due to unsafe deserialization of user-controlled in...

This vulnerability in SolarWinds Platform allows remote attackers with Orion admin-level account access to execute arbitrary commands through deserial...

CVE-2023-0669 is a pre-authentication remote code execution vulnerability in Fortra GoAnywhere MFT that allows unauthenticated attackers to execute ar...

This vulnerability allows remote code execution in VMware Workspace ONE Access, Identity Manager, and vRealize Automation. An attacker with administra...

This vulnerability allows authenticated users with high privilege access to the Incapptic Connect web console to remotely execute arbitrary code on th...

This vulnerability allows remote attackers to execute arbitrary code by exploiting a deserialization flaw in HornetQ/Artemis JMS ObjectMessage handlin...

CVE-2021-33728 is a Java deserialization vulnerability in Siemens SINEC NMS that allows authenticated attackers to execute arbitrary code with root pr...

This vulnerability allows attackers to inject malicious PHP objects into Concrete5 applications through deserialization of untrusted data. Attackers c...

CVE-2021-32634 is an unsafe deserialization vulnerability in Emissary's WorkSpaceClientEnqueue REST endpoint that allows authenticated attackers to ex...

This CVE describes a remote insecure deserialization vulnerability in Aruba AirWave Management Platform that allows attackers to execute arbitrary cod...

CVE-2021-29654 is a deserialization vulnerability in AjaxSearchPro's administration panel import database feature that allows remote code execution. A...

CVE-2020-10657 is a remote code execution vulnerability in Proofpoint Insider Threat Management Server (formerly ObserveIT Server) that allows authent...

This vulnerability in Ozeki NG SMS Gateway allows attackers to achieve remote code execution by exploiting insecure .NET deserialization. Attackers ca...

The AI Engine WordPress plugin is vulnerable to PHP Object Injection via PHAR deserialization in functions handling audio transcription and vision que...

This vulnerability allows remote code execution on MindsDB servers through deserialization of untrusted data in uploaded models. Attackers can execute...

A serialization vulnerability in logback's receiver component (versions 1.4.11 and earlier) allows attackers to send maliciously crafted data that cau...

This vulnerability in Ladybug allows attackers to upload malicious XML files that get deserialized, leading to remote code execution on the server. An...

CVE-2025-59285 is a deserialization vulnerability in Azure Monitor Agent that allows authenticated attackers to execute arbitrary code with elevated p...

CVE-2023-38155 is a remote code execution vulnerability in Azure DevOps Server that allows authenticated attackers to execute arbitrary code on affect...

CVE-2026-28277 is a deserialization vulnerability in LangGraph SQLite Checkpoint that allows arbitrary code execution when loading maliciously crafted...

CVE-2025-59713 is an unsafe deserialization vulnerability in Snipe-IT versions before 8.1.18 that could allow remote code execution. This affects all ...

This vulnerability involves a serialization/deserialization mismatch in Huawei's iAware module that could allow attackers to access sensitive informat...

The Snowflake Connector for Python uses pickle for OCSP response cache serialization, allowing local attackers to execute arbitrary code via cache poi...

LangGraph Checkpoint versions before 4.0.0 contain a remote code execution vulnerability in the caching layer when applications enable cache backends ...

A PHP object injection vulnerability in Melapress Login Security WordPress plugin allows attackers to execute arbitrary code through deserialization o...