CWE-502: Deserialization of Untrusted Data

CVE-2021-21426 is an insecure deserialization vulnerability in Magento-LTS that allows remote code execution. Attackers can exploit this to execute ar...

CVE-2021-21524 is a critical untrusted deserialization vulnerability in Dell SRM and SMR software that allows remote unauthenticated attackers to exec...

Apache OFBiz versions before 17.12.06 contain an unsafe deserialization vulnerability in the SOAP component. Unauthenticated attackers can exploit thi...

CVE-2020-36282 is a critical deserialization vulnerability in RabbitMQ JMS Client that allows remote code execution when processing malicious StreamMe...

CVE-2020-29045 is a critical remote code execution vulnerability in the Food and Drink Menu WordPress plugin. Attackers can execute arbitrary code by ...

This vulnerability allows remote attackers to execute arbitrary code on WordPress sites using the wp-hotel-booking plugin through version 1.10.2. Atta...

CVE-2021-22855 is a critical deserialization vulnerability in the Soar Cloud System HR Portal that allows remote attackers to execute arbitrary comman...

CVE-2021-27213 is a critical remote code execution vulnerability in pystemon's config.py file that allows attackers to execute arbitrary code via YAML...

CVE-2020-27868 is a critical remote code execution vulnerability in Qognify Ocularis video management software. Unauthenticated attackers can exploit ...

This vulnerability allows remote unauthenticated attackers to send malicious messages to SolarWinds Orion's Collector Service on TCP port 1801, which ...

CVE-2021-3160 is an unauthenticated remote code execution vulnerability in ASSUWEB 359.3 build 1, a subcomponent of ACA ASSUREX RENTES insurance contr...

CVE-2020-4682 is a critical remote code execution vulnerability in IBM MQ caused by unsafe deserialization of trusted data. Attackers can exploit this...

CVE-2020-27583 is a critical Java deserialization vulnerability in IBM InfoSphere Information Server 8.5.0.0 that allows unauthenticated remote attack...

CVE-2021-25294 is a critical remote code execution vulnerability in OpenCATS caused by unsafe deserialization of user input. Attackers can exploit thi...

CVE-2020-24639 is a critical Java deserialization vulnerability in Airwave Glass that allows remote attackers to execute arbitrary commands. Successfu...

This vulnerability allows remote attackers to execute arbitrary code on ThinkAdmin systems by exploiting insecure unserialize functions in specific AP...

CVE-2020-11995 is a critical deserialization vulnerability in Apache Dubbo that allows remote attackers to execute arbitrary code by sending specially...

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with local administrator privileges on Proofpoint Insider Threat ...

CVE-2020-10658 is a critical remote code execution vulnerability in Proofpoint Insider Threat Management Server (formerly ObserveIT Server) that allow...

CVE-2021-3007 is a PHP deserialization vulnerability in Laminas Project's laminas-http component (and Zend Framework) that allows remote code executio...

CVE-2019-7725 is a critical deserialization vulnerability in NukeViet CMS that allows remote code execution by exploiting the untrusted nvloginhash co...

CVE-2020-22083 is a critical remote code execution vulnerability in jsonpickle versions through 1.4.1. It allows attackers to execute arbitrary code d...

CVE-2020-5664 is a critical deserialization vulnerability in XooNIps that allows remote attackers to execute arbitrary code on affected systems. This ...

CVE-2020-28032 is a critical deserialization vulnerability in WordPress that allows remote code execution. It affects WordPress sites before version 5...

CVE-2020-24648 is a critical remote code execution vulnerability in HPE Intelligent Management Center (iMC) that allows attackers to execute arbitrary...

This vulnerability allows remote attackers to execute arbitrary code on ARC Informatique PcVue web and mobile back-end servers by exploiting insecure ...

This vulnerability allows remote attackers to execute arbitrary code on Hyland OnBase servers by sending specially crafted SOAP messages that exploit ...

This vulnerability allows remote attackers to execute arbitrary code on Hyland OnBase systems due to unsafe JSON deserialization. Attackers can achiev...

This vulnerability allows remote attackers to execute arbitrary code on IBM WebSphere Application Server by sending specially crafted serialized objec...

CVE-2020-1948 is a critical deserialization vulnerability in Apache Dubbo that allows remote code execution. Attackers can send malicious RPC requests...

This vulnerability allows remote attackers to execute arbitrary code on Atlassian Jira Server and Data Center instances through insecure deserializati...

This vulnerability allows remote attackers to execute arbitrary commands on affected Cisco devices by sending crafted serialized Java objects. It affe...

Adobe Connect versions 24.0 and earlier contain a deserialization vulnerability that allows attackers to execute arbitrary code on affected systems. E...

The huggingface/transformers library contains a critical vulnerability allowing arbitrary code execution through malicious serialized checkpoints. Att...

This CVE describes an unauthenticated PHP object injection vulnerability in the EnvíaloSimple WordPress plugin. Attackers can exploit deserialization...

CVE-2023-42809 is a critical deserialization vulnerability in Redisson Java Redis client that allows remote code execution. Attackers who can redirect...

This vulnerability in the Orchid Laravel package allows remote code execution through deserialization of untrusted data from the '_state' query parame...

This vulnerability allows remote unauthenticated attackers to execute arbitrary code on McAfee Database Security servers by sending malicious Java ser...

A serialization injection vulnerability in LangChain's dumps() and dumpd() functions allows attackers to inject malicious data that gets treated as le...

This vulnerability allows an unauthorized attacker to execute arbitrary code on Microsoft Update Catalog webservers by exploiting insecure deserializa...

This vulnerability allows arbitrary code execution when TensorFlow or Keras deserializes a malicious YAML model file. Attackers can exploit unsafe YAM...

A buffer overflow vulnerability in scrcpy allows a compromised Android device to send crafted messages that cause memory corruption on the host system...

A high-privileged user can exploit a deserialization vulnerability in SAP jConnect to execute arbitrary code remotely. This affects SAP systems using ...

CVE-2025-55010 is an unsafe deserialization vulnerability in Kanboard that allows admin users to execute arbitrary PHP code by manipulating event data...

SAP NetWeaver Enterprise Portal Federated Portal Network has a deserialization vulnerability where privileged users can upload malicious content. When...

This vulnerability allows attackers to exploit insecure deserialization in Apache InLong's JDBC component, enabling arbitrary file reading on affected...

The Uncanny Automator WordPress plugin contains a PHP object injection vulnerability that allows unauthenticated attackers to execute arbitrary code t...

CVE-2025-42999 is a deserialization vulnerability in SAP NetWeaver Visual Composer Metadata Uploader that allows privileged users to upload malicious ...

This CVE describes a deserialization vulnerability in Adobe ColdFusion that allows attackers to execute arbitrary code without user interaction. Syste...

This CVE describes a fastjson deserialization vulnerability in MSFM that allows remote code execution by sending malicious payloads to the system/tabl...