CWE-502: Deserialization of Untrusted Data

CVE-2025-31927 is a PHP object injection vulnerability in the Acerola WordPress theme that allows attackers to execute arbitrary code through deserial...

CVE-2025-31423 is a PHP object injection vulnerability in the Umberto WordPress theme that allows attackers to execute arbitrary code by exploiting in...

This CVE describes a PHP object injection vulnerability in the Fish House WordPress theme due to insecure deserialization of untrusted data. Attackers...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the HotStar WordPress theme. Successful e...

CVE-2025-31049 is a PHP object injection vulnerability in the Dash WordPress theme that allows attackers to execute arbitrary code through deserializa...

This vulnerability in vLLM versions 0.6.5 through 0.8.4 exposes the TCPStore interface on ALL network interfaces instead of only the specified private...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the Grand Conference WordPress theme. Suc...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the Foodbakery Sticky Cart WordPress plug...

This vulnerability in the ThemeGoods Altair WordPress theme allows attackers to inject malicious objects through deserialization of untrusted data. It...

CVE-2025-39349 is a PHP object injection vulnerability in the CiyaShop WordPress theme that allows attackers to execute arbitrary code through deseria...

This vulnerability allows attackers to execute arbitrary code on WordPress sites by exploiting insecure deserialization in the Events Calendar Registr...

This vulnerability allows remote attackers to execute arbitrary PHP code through deserialization of untrusted data in the Smart Sections Theme Builder...

Emlog versions 2.5.13 and prior contain a deserialization vulnerability where a user can craft a malicious nickname to cause deserialization failure. ...

The PGS Core WordPress plugin is vulnerable to PHP Object Injection via insecure deserialization in the 'import_header' function, allowing unauthentic...

This vulnerability allows remote code execution through unsafe deserialization in Retrieval-based-Voice-Conversion-WebUI. Attackers can exploit the mo...

This vulnerability allows remote attackers to execute arbitrary code on systems running Retrieval-based-Voice-Conversion-WebUI by exploiting unsafe de...

CVE-2025-43846 is a critical unsafe deserialization vulnerability in Retrieval-based-Voice-Conversion-WebUI that allows remote code execution. Attacke...

CVE-2025-43848 is an unsafe deserialization vulnerability in Retrieval-based-Voice-Conversion-WebUI that allows remote code execution. Attackers can e...

A critical Remote Command Execution vulnerability exists in PyTorch when loading models with torch.load(weights_only=True). Attackers can craft malici...

This vulnerability allows malicious Apache ActiveMQ servers to send specially crafted responses to NMS OpenWire clients, leading to arbitrary code exe...

CVE-2025-39550 is a PHP object injection vulnerability in the Shahjahan Jewel FluentCommunity WordPress plugin that allows attackers to execute arbitr...

This vulnerability allows attackers to execute arbitrary code on WordPress sites running the vulnerable HelpGent plugin by exploiting insecure deseria...

CVE-2025-32572 is a PHP object injection vulnerability in the Kata Plus WordPress plugin that allows attackers to execute arbitrary code through deser...

This vulnerability allows remote attackers to execute arbitrary code through PHP object injection via deserialization of untrusted data in the Saoshya...

A PHP object injection vulnerability in GNUCommerce WordPress plugin allows attackers to execute arbitrary code through deserialization of untrusted d...

The Everest Forms WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input in the 'field_value' parameter. This a...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in the EmpikPlace for WooCommerce WordPress ...

CVE-2025-32375 is an insecure deserialization vulnerability in BentoML's runner server that allows remote code execution. Attackers can execute arbitr...

CVE-2025-27520 is a critical remote code execution vulnerability in BentoML caused by insecure deserialization in serde.py. It allows unauthenticated ...

This vulnerability allows remote attackers to execute arbitrary code on Bitdefender GravityZone Console servers by exploiting insecure PHP deserializa...

This vulnerability allows attackers to inject malicious PHP objects through deserialization of untrusted data in the CBX Poll WordPress plugin. Succes...

This vulnerability in Apache Parquet's parquet-avro module allows attackers to execute arbitrary code by exploiting schema parsing flaws. It affects a...

This vulnerability allows attackers to inject malicious objects through deserialization of untrusted data in Sunshine Photo Cart WordPress plugin. Suc...

This CVE describes a PHP object injection vulnerability in the Export All Posts, Products, Orders, Refunds & Users WordPress plugin. Unauthenticated a...

A critical vulnerability in ONOS v2.7.0 allows attackers to execute arbitrary commands or access network information by sending a specially crafted LL...

This CVE describes a critical Remote Code Execution vulnerability in Kedro's ShelveStore class (version 0.19.8). Attackers can execute arbitrary Pytho...

CVE-2024-9053 is a critical remote code execution vulnerability in vLLM's AsyncEngineRPCServer where untrusted pickle data can be deserialized without...

A deserialization vulnerability in BentoML's runner server allows attackers to execute arbitrary code by manipulating the args-number parameter. This ...

This vulnerability allows remote attackers to execute arbitrary code on servers running modelscope/agentscope v0.0.6a3 by sending malicious serialized...

This CVE allows remote attackers to execute arbitrary code on systems running vulnerable versions of infiniflow/ragflow. Attackers can bypass authenti...

This critical vulnerability allows remote code execution in open-mmlab/mmdetection v3.3.0 through unsafe deserialization in distributed training. Atta...

CVE-2024-11041 is a critical remote code execution vulnerability in vLLM v0.6.2 where the MessageQueue.dequeue() function uses insecure pickle.loads()...

This vulnerability allows unauthenticated remote attackers to execute arbitrary code on H2O-3 machine learning platforms by exploiting insecure deseri...

Horovod versions up to v0.28.1 are vulnerable to unauthenticated remote code execution via malicious pickle objects in PUT requests. Attackers can exe...

Applio versions 3.2.8-bugfix and prior contain an unsafe deserialization vulnerability in infer.py that allows remote attackers to execute arbitrary c...

This vulnerability allows remote attackers to execute arbitrary code on Applio voice conversion tool servers by exploiting unsafe deserialization in t...

This CVE describes a PHP Object Injection vulnerability in CozyStay and TinySalt WordPress plugins. Unauthenticated attackers can inject PHP objects v...

CVE-2024-13824 is a PHP object injection vulnerability in the CiyaShop WordPress theme that allows unauthenticated attackers to inject malicious PHP o...

CVE-2025-25940 is an insecure XML deserialization vulnerability in VisiCut 2.1 that allows remote code execution when processing malicious PLF files. ...

This vulnerability allows remote code execution on Arctera InfoScale servers through insecure deserialization of .NET remoting messages. Attackers can...