CWE-502— Deserialization of Untrusted Data
2,466 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-502page 1 of 50
- CVE-2005-2875NONECVSS 0.0EG 0.02005-09-13
Py2Play allows remote attackers to execute arbitrary Python code via pickled objects, which Py2Play unpickles and executes.
- CVE-2007-1701NONECVSS 0.0EG 0.02007-03-27
PHP 4 before 4.4.5, and PHP 5 before 5.2.1, when register_globals is enabled, allows context-dependent attackers to execute arbitrary code via deserialization of session data, which overwrites arbitrary global variables, as demonstrated by…
- CVE-2010-3258NONECVSS 0.0EG 0.02010-09-07
The sandbox implementation in Google Chrome before 6.0.472.53 does not properly deserialize parameters, which has unspecified impact and remote attack vectors.
- CVE-2010-4574NONECVSS 0.0EG 0.02010-12-22
The Pickle::Pickle function in base/pickle.cc in Google Chrome before 8.0.552.224 and Chrome OS before 8.0.552.343 on 64-bit Linux platforms does not properly perform pointer arithmetic, which allows remote attackers to bypass message dese…
- CVE-2011-2520HIGHCVSS 7.8EG 7.82011-07-21
fw_dbus.py in system-config-firewall 1.2.29 and earlier uses the pickle Python module unsafely during D-Bus communication between the GUI and the backend, which might allow local users to gain privileges via a crafted serialized object.
- CVE-2013-4521CRITICALCVSS 9.8EG 9.82020-02-06
RichFaces implementation in Nuxeo Platform 5.6.0 before HF27 and 5.8.0 before HF-01 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serializ…
- CVE-2013-7489MEDIUMCVSS 6.8EG 6.82020-06-26
The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.
- CVE-2014-1420LOWCVSS 3.8EG 3.82020-09-11
On desktop, Ubuntu UI Toolkit's StateSaver would serialise data on tmp/ files which an attacker could use to expose potentially sensitive data. StateSaver would also open files without the O_EXCL flag. An attacker could exploit this to lau…
- CVE-2014-1860CRITICALCVSS 9.8EG 9.82020-01-08
Contao CMS through 3.2.4 has PHP Object Injection Vulnerabilities
- CVE-2014-3699CRITICALCVSS 9.8EG 9.82019-12-15
eDeploy has RCE via cPickle deserialization of untrusted data
- CVE-2015-2020CRITICALCVSS 9.8EG 9.82018-03-29
The MyScript SDK before 1.3 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function.
- CVE-2015-4852CRITICALCVSS 9.8EG 9.8⚠ KEV2015-11-18
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to …
- CVE-2015-7450CRITICALCVSS 9.8EG 9.8⚠ KEV2016-01-02
Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to t…
- CVE-2016-0750MEDIUMCVSS 4.2EG 8.82018-09-11
The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote c…
- CVE-2016-1000027CRITICALCVSS 9.8EG 9.82020-01-02
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occu…
- CVE-2016-10750HIGHCVSS 8.1EG 8.12019-05-22
In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the c…
- CVE-2016-10753HIGHCVSS 8.8EG 8.82019-05-24
e107 2.1.2 allows PHP Object Injection with resultant SQL injection, because usersettings.php uses unserialize without an HMAC.
- CVE-2016-1487HIGHCVSS 8.8EG 8.82020-03-09
Lexmark Markvision Enterprise before 2.3.0 misuses the Apache Commons Collections Library, leading to remote code execution because of Java deserialization.
- CVE-2016-15044CRITICALCVSS 9.3EG 0.02025-07-23
A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this issue by sendin…
- CVE-2016-3957CRITICALCVSS 9.8EG 9.82018-02-06
The secure_load function in gluon/utils.py in web2py before 2.14.2 uses pickle.loads to deserialize session information stored in cookies, which might allow remote attackers to execute arbitrary code by leveraging knowledge of encryption_k…
- CVE-2016-4398HIGHCVSS 8.8EG 8.82018-08-06
A remote arbitrary code execution vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10 using Java Deserialization.
- CVE-2016-4405HIGHCVSS 8.8EG 8.82018-08-06
A remote code execution vulnerability was identified in HP Business Service Management (BSM) using Apache Commons Collection Java Deserialization versions v9.20-v9.26
- CVE-2016-6814CRITICALCVSS 9.8EG 9.82018-01-18
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was…
- CVE-2016-8511CRITICALCVSS 9.8EG 9.82018-02-15
A Remote Code Execution vulnerability in HPE Network Automation using RPCServlet and Java Deserialization version v9.1x, v9.2x, v10.00, v10.00.01, v10.00.02, v10.10, v10.11, v10.11.01, v10.20 was found.
- CVE-2016-8519CRITICALCVSS 9.8EG 9.82018-02-15
A remote code execution vulnerability in HPE Operations Orchestration Community edition and Enterprise edition prior to v10.70 was found.
- CVE-2016-8648HIGHCVSS 7.2EG 7.22018-08-01
It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user ru…
- CVE-2016-8653MEDIUMCVSS 5.3EG 5.32018-08-01
It was found that the JMX endpoint of Red Hat JBoss Fuse 6, and Red Hat A-MQ 6 deserializes the credentials passed to it. An attacker could use this flaw to launch a denial of service attack.
- CVE-2016-9045HIGHCVSS 8.8EG 8.82018-09-17
A code execution vulnerability exists in ProcessMaker Enterprise Core 3.0.1.7-community. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web …
- CVE-2016-9483CRITICALCVSS 9.8EG 9.82018-07-13
The PHP form code generated by PHP FormMail Generator deserializes untrusted input as part of the phpfmg_filman_download() function. A remote unauthenticated attacker may be able to use this vulnerability to inject PHP code, or along with …
- CVE-2016-9498CRITICALCVSS 9.8EG 9.82018-07-13
ManageEngine Applications Manager 12 and 13 before build 13200, allows unserialization of unsafe Java objects. The vulnerability can be exploited by remote user without authentication and it allows to execute remote code compromising the a…
- CVE-2016-9585MEDIUMCVSS 5.3EG 5.32018-03-09
Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untrusted data in the JMX endpoint when deserializes the credentials passed to it. An attacker could exploit this vulnerability resulting in a denial of service attack.
- CVE-2017-1000353CRITICALCVSS 9.8EG 9.8⚠ KEV2018-01-29
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remote code execution. An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedO…
- CVE-2017-1000355MEDIUMCVSS 6.5EG 6.52018-01-29
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void.
- CVE-2017-10934CRITICALCVSS 9.8EG 9.82018-07-25
All versions prior to V5.09.02.02T4 of the ZTE ZXIPTV-EPG product use the Java RMI service in which the servers use the Apache Commons Collections (ACC) library that may result in Java deserialization vulnerabilities. An unauthenticated re…
- CVE-2017-10992CRITICALCVSS 9.8EG 9.82020-03-10
In HPE Storage Essentials 9.5.0.142, there is Unauthenticated Java Deserialization with remote code execution via OS commands in a request to invoker/JMXInvokerServlet, aka PSRT110461.
- CVE-2017-12149CRITICALCVSS 9.8EG 9.8⚠ KEV2017-10-04
In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization …
- CVE-2017-12556CRITICALCVSS 9.8EG 9.82018-02-15
A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found.
- CVE-2017-12557CRITICALCVSS 9.8EG 9.82018-02-15
A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found.
- CVE-2017-12558CRITICALCVSS 9.8EG 9.82018-02-15
A Remote Code Execution vulnerability in HPE intelligent Management Center (iMC) PLAT version IMC Plat 7.3 E0504P2 and earlier was found.
- CVE-2017-13286HIGHCVSS 7.8EG 7.82018-04-04
In writeToParcel and readFromParcel of OutputConfiguration.java, there is a permission bypass due to mismatched serialization. This could lead to a local escalation of privilege where the user can start an activity with system privileges, …
- CVE-2017-15089HIGHCVSS 8.8EG 8.82018-02-15
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserializatio…
- CVE-2017-15095CRITICALCVSS 9.8EG 9.82018-02-06
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the …
- CVE-2017-15692CRITICALCVSS 9.8EG 9.82018-02-27
In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classe…
- CVE-2017-15693HIGHCVSS 7.5EG 7.52018-02-27
In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able …
- CVE-2017-15703MEDIUMCVSS 5.0EG 5.02018-01-25
Any authenticated user (valid client certificate but without ACL permissions) could upload a template which contained malicious code and caused a denial of service via Java deserialization attack. The fix to properly handle Java deserializ…
- CVE-2017-1677HIGHCVSS 7.4EG 7.82018-03-22
IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) deserializes the contents of /tmp/connlicj.bin which leads to object injection and potentially arbitrary code execution depending on t…
- CVE-2017-17406CRITICALCVSS 9.8EG 9.82018-01-23
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Netgain Enterprise Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within an exposed RMI re…
- CVE-2017-17485CRITICALCVSS 9.8EG 9.82018-01-10
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON…
- CVE-2017-18342CRITICALCVSS 9.8EG 9.82018-06-27
In PyYAML before 5.1, the yaml.load() API could execute arbitrary code if used with untrusted data. The load() function has been deprecated in version 5.1 and the 'UnsafeLoader' has been introduced for backward compatibility with the funct…
- CVE-2017-18365CRITICALCVSS 9.8EG 9.82019-03-28
The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a deserialization issue that allows unauthenticated remote attackers to execute arbitrary code. This occurs because the enterprise session secret is always the same, and ca…
Map vulnerabilities like CWE-502 to your infrastructure
EchelonGraph correlates every CVE — across CWE-502 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →