CWE-502: Deserialization of Untrusted Data

CVE-2025-59713 is an unsafe deserialization vulnerability in Snipe-IT versions before 8.1.18 that could allow remote code execution. This affects all ...

This vulnerability involves a serialization/deserialization mismatch in Huawei's iAware module that could allow attackers to access sensitive informat...

The Snowflake Connector for Python uses pickle for OCSP response cache serialization, allowing local attackers to execute arbitrary code via cache poi...

LangGraph Checkpoint versions before 4.0.0 contain a remote code execution vulnerability in the caching layer when applications enable cache backends ...

A PHP object injection vulnerability in Melapress Login Security WordPress plugin allows attackers to execute arbitrary code through deserialization o...

CVE-2021-27017 is a deserialization vulnerability in Puppet Agent that allows attackers to execute arbitrary code by supplying malicious serialized da...

This vulnerability in Drupal Mailjet module allows attackers to inject malicious objects through deserialization of untrusted data, potentially leadin...

The NinjaFirewall WordPress plugin up to version 4.3.3 contains an authenticated PHAR deserialization vulnerability. This allows authenticated attacke...

The WP eCommerce WordPress plugin through version 3.15.1 has a PHP object injection vulnerability that allows unauthenticated attackers to execute arb...

pdfminer.six contains an insecure deserialization vulnerability where Python pickle is used to deserialize CMap cache files without validation. An att...

This vulnerability allows attackers to inject malicious PHP objects through deserialization of untrusted data in the WP Maps WordPress plugin. All Wor...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the WP Webhooks WordPress plugin. Attacke...

This vulnerability allows remote code execution through unsafe fastjson deserialization in ktg-mes systems. Attackers can exploit this by sending mali...

A deserialization vulnerability in uzy-ssm-mall v1.1.0 allows attackers to execute arbitrary code by sending specially crafted input to the applicatio...

WukongCRM 9.0-JAVA contains a fastjson deserialization vulnerability in the /OaExamine/setOaExamine interface that allows remote code execution. This ...

Redragon ERP v1.0 contains a Shiro deserialization vulnerability due to the use of default Shiro cryptographic keys. This allows attackers to execute ...

This CVE describes a denial-of-service vulnerability in Apache Fory caused by insecure deserialization of untrusted data. Remote attackers can send sp...

This CVE describes a deserialization vulnerability in Apache InLong that allows attackers to bypass security controls through JDBC URL encoding and ba...

MENDELSON AS4 client software before version 2024 B376 has a deserialization vulnerability where malicious XML data from a trading partner can trigger...

This vulnerability in the Geo Controller WordPress plugin allows unauthenticated attackers to perform PHP Object Injection by sending specially crafte...

The Houzez WordPress theme is vulnerable to PHP object injection through deserialization of untrusted input in saved-search-item.php. This allows auth...

This vulnerability allows remote authenticated attackers to execute arbitrary code on affected Allegra installations by exploiting a deserialization f...

This critical vulnerability in HuangDou UTCMS V9 allows remote attackers to execute arbitrary code through insecure deserialization in the template_cr...

This critical vulnerability in ZhongBangKeJi CRMEB allows remote attackers to execute arbitrary code through deserialization of untrusted data in the ...

This CVE describes a critical remote code execution vulnerability in ZhongBangKeJi CRMEB e-commerce platform. Attackers can exploit insecure deseriali...

This critical vulnerability in WuKongOpenSource Wukong_nocode allows remote attackers to execute arbitrary code through insecure deserialization in th...

This vulnerability in SIMATIC STEP 7 Safety V18 allows attackers to execute arbitrary code by exploiting insecure .NET BinaryFormatter deserialization...

This critical vulnerability in anji-plus AJ-Report allows remote attackers to execute arbitrary code through insecure deserialization in the validatio...

This critical vulnerability in D-Link DAR-8000-10 devices allows remote attackers to execute arbitrary code through deserialization attacks targeting ...

This vulnerability allows remote code execution on WildFly and JBoss EAP servers through untrusted deserialization in the EJB remote invocation mechan...

CVE-2024-34075 is a deserialization vulnerability in the kurwov Markov chain library where malicious strings containing '__proto__ ' (with trailing sp...

This vulnerability in IBM SDK Java Technology Edition's Object Request Broker allows attackers to cause denial of service by bypassing deserialization...

CVE-2025-55136 is an insecure deserialization vulnerability in ERC (Emotion Recognition in Conversation) software versions through 0.3. Attackers can ...

The Everest Forms Pro WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input in the mime_content_type() functio...

The Ninja Tables WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input in the args[callback] parameter. This a...

This vulnerability allows authenticated Keycloak realm administrators to trigger deserialization of untrusted Java objects by configuring a malicious ...

CVE-2025-54640 is a ParcelMismatch vulnerability in attribute deserialization that allows attackers to manipulate data structures during deserializati...

CVE-2025-54639 is a deserialization vulnerability in Huawei devices that allows attackers to manipulate attribute data during deserialization. Success...

This vulnerability involves inconsistent read/write serialization in the ad module, which could allow an attacker to disrupt the availability of the a...

This CVE describes a deserialization vulnerability in the ability module where untrusted data can be processed, potentially leading to denial of servi...

This vulnerability allows unauthenticated attackers to execute arbitrary code on Cisco Unified CCX Editor systems by exploiting insecure Java deserial...

This critical vulnerability in ThinkAdmin allows remote attackers to execute arbitrary code through insecure deserialization in the Plugs.php file. It...

This CVE describes a deserialization vulnerability in SAP NetWeaver's JMS service that allows authenticated administrators with local access to submit...

This vulnerability allows attackers to inject malicious PHP objects through deserialization of untrusted data in the WebToffee Order Export & Order Im...

This vulnerability allows attackers to inject malicious PHP objects through deserialization of untrusted data in the One Click Demo Import WordPress p...

A vulnerability in MongoDB's js-bson library versions 1.1.3 and earlier allows incorrect parsing of certain JSON inputs, leading to improper BSON seri...

Apache Karaf Decanter's log socket collector has a deserialization vulnerability on port 4560 without authentication. Attackers can bypass allowed cla...

CVE-2025-15579 is a deserialization vulnerability in OpenText Directory Services that allows attackers to inject malicious objects. If exploited, it c...

LightLLM versions 1.1.0 and earlier contain an unauthenticated remote code execution vulnerability in PD disaggregation mode. Attackers can send malic...

This vulnerability in Hyland OnBase allows unauthenticated attackers to send crafted .NET Remoting requests to the Workflow Timer Service on TCP port ...