Login Sign Up

CWE-502: Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

1,058
Total CVEs
522
Critical
480
High
8.8
Avg CVSS
10
In CISA KEV

Yearly Trend

2026
83
2025
398
2024
223
2023
129
2022
34

Top Affected Vendors

1 Apache 64
2 Microsoft 37
3 Debian 24
4 Ibm 22
5 Oracle 22
6 Solarwinds 19
7 Netapp 17
8 Adobe 14
9 Fasterxml 13
10 Ivanti 9

All Deserialization of Untrusted Data CVEs (1,058)

CVE-2025-15579
N/A

CVE-2025-15579 is a deserialization vulnerability in OpenText Directory Services that allows attackers to inject malicious objects. If exploited, it c...

Feb 18, 2026
CVE-2026-26220
N/A

LightLLM versions 1.1.0 and earlier contain an unauthenticated remote code execution vulnerability in PD disaggregation mode. Attackers can send malic...

Feb 17, 2026
CVE-2026-26221
N/A

This vulnerability in Hyland OnBase allows unauthenticated attackers to send crafted .NET Remoting requests to the Workflow Timer Service on TCP port ...

Feb 13, 2026
CVE-2026-26215
N/A

CVE-2026-26215 is an unauthenticated remote code execution vulnerability in manga-image-translator's shared API mode. Attackers can send malicious pic...

Feb 11, 2026
CVE-2025-9571
N/A

A remote code execution vulnerability in Google Cloud Data Fusion allows authenticated users with artifact upload permissions to execute arbitrary cod...

Dec 10, 2025
CVE-2025-66631
N/A

CVE-2025-66631 is a remote code execution vulnerability in CSLA .NET framework versions 5.5.4 and below. It allows attackers to execute arbitrary code...

Dec 9, 2025
CVE-2025-66571
N/A

This vulnerability allows remote, unauthenticated attackers to inject arbitrary PHP objects into UNA CMS via the profile_id POST parameter. Successful...

Dec 4, 2025
CVE-2025-64439
N/A

LangGraph SQLite Checkpoint versions 2.1.2 and below contain a Remote Code Execution vulnerability in the JsonPlusSerializer. When illegal Unicode sur...

Nov 7, 2025

About Deserialization of Untrusted Data (CWE-502)

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

Our database tracks 1,058 CVEs classified as CWE-502, with 522 rated critical and 480 rated high severity. The average CVSS score for Deserialization of Untrusted Data vulnerabilities is 8.8.

External reference: View CWE-502 on MITRE CWE →

Monitor Deserialization of Untrusted Data Vulnerabilities

Get alerted when new Deserialization of Untrusted Data CVEs affect your infrastructure.

Start Monitoring Free