CWE-502— Deserialization of Untrusted Data
2,468 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-502page 11 of 50
- CVE-2021-21242CRITICALCVSS 10.0EG 10.02021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` …
- CVE-2021-21243CRITICALCVSS 10.0EG 10.02021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize untrusted data from the request body. These endpoints do not enforce any authentication or authorizati…
- CVE-2021-21247CRITICALCVSS 9.6EG 9.62021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the application's BasePage registers an AJAX event listener (`AbstractPostAjaxBehavior`) in all pages other than the login page. This listener decodes and deserialize…
- CVE-2021-21249CRITICALCVSS 9.6EG 9.62021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is an issue involving YAML parsing which can lead to post-auth remote code execution. In order to parse and process YAML files, OneDev uses SnakeYaml which by d…
- CVE-2021-21341HIGHCVSS 7.5EG 7.52021-03-23
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parall…
- CVE-2021-21342MEDIUMCVSS 5.3EG 5.32021-03-23
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written ob…
- CVE-2021-21343MEDIUMCVSS 5.3EG 5.32021-03-23
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written ob…
- CVE-2021-21344MEDIUMCVSS 5.3EG 5.32021-03-23
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating t…
- CVE-2021-21345MEDIUMCVSS 5.8EG 9.02021-03-23
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulati…
- CVE-2021-21346MEDIUMCVSS 6.1EG 6.12021-03-23
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating t…
- CVE-2021-21347MEDIUMCVSS 6.1EG 6.12021-03-23
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating t…
- CVE-2021-21348MEDIUMCVSS 5.3EG 5.32021-03-23
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No …
- CVE-2021-21349MEDIUMCVSS 6.1EG 6.12021-03-23
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only…
- CVE-2021-21350MEDIUMCVSS 5.3EG 5.32021-03-23
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. N…
- CVE-2021-21351MEDIUMCVSS 5.4EG 9.02021-03-23
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the pro…
- CVE-2021-21371MEDIUMCVSS 5.0EG 5.02021-03-10
Tenable for Jira Cloud is an open source project designed to pull Tenable.io vulnerability data, then generate Jira Tasks and sub-tasks based on the vulnerabilities' current state. It published in pypi as "tenable-jira-cloud". In tenable-j…
- CVE-2021-21426CRITICALCVSS 9.8EG 9.82021-04-21
Magento-lts is a long-term support alternative to Magento Community Edition (CE). In magento-lts versions 19.4.12 and prior and 20.0.8 and prior, there is a vulnerability caused by the unsecured deserialization of an object. A patch in ver…
- CVE-2021-21488MEDIUMCVSS 6.5EG 6.52021-03-09
Knowledge Management versions 7.01, 7.02, 7.30, 7.31, 7.40, 7.50 allows a remote attacker with basic privileges to deserialize user-controlled data without verification, leading to insecure deserialization which triggers the attacker’s c…
- CVE-2021-21524CRITICALCVSS 9.8EG 9.82021-04-12
Dell SRM versions prior to 4.5.0.1 and Dell SMR versions prior to 4.5.0.1 contain an Untrusted Deserialization Vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to arbitrary privileged cod…
- CVE-2021-21604HIGHCVSS 8.0EG 8.02021-01-13
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows attackers with permission to create or configure various objects to inject crafted content into Old Data Monitor that results in the instantiation of potentially unsafe objects once…
- CVE-2021-21677HIGHCVSS 8.8EG 8.82021-08-31
Jenkins Code Coverage API Plugin 1.4.0 and earlier does not apply Jenkins JEP-200 deserialization protection to Java objects it deserializes from disk, resulting in a remote code execution vulnerability.
- CVE-2021-21741CRITICALCVSS 9.8EG 9.82021-08-30
There is a command execution vulnerability in a ZTE conference management system. As some services are enabled by default, the attacker could exploit this vulnerability to execute arbitrary commands by sending specific serialization comman…
- CVE-2021-21863HIGHCVSS 7.8EG 7.82021-08-05
A unsafe deserialization vulnerability exists in the ComponentModel Profile.FromFile() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacke…
- CVE-2021-21864HIGHCVSS 7.8EG 7.82021-08-02
A unsafe deserialization vulnerability exists in the ComponentModel ComponentManager.StartupCultureSettings functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command …
- CVE-2021-21865HIGHCVSS 7.8EG 7.82021-08-02
A unsafe deserialization vulnerability exists in the PackageManagement.plugin ExtensionMethods.Clone() functionality of CODESYS GmbH CODESYS Development System 3.5.16. A specially crafted file can lead to arbitrary command execution. An at…
- CVE-2021-21866HIGHCVSS 7.8EG 7.82021-08-02
A unsafe deserialization vulnerability exists in the ObjectManager.plugin ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command exe…
- CVE-2021-21867HIGHCVSS 7.8EG 7.82021-08-18
An unsafe deserialization vulnerability exists in the ObjectManager.plugin ObjectStream.ProfileByteArray functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command exe…
- CVE-2021-21868HIGHCVSS 7.8EG 7.82021-08-18
An unsafe deserialization vulnerability exists in the ObjectManager.plugin Project.get_MissingTypes() functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execut…
- CVE-2021-21869HIGHCVSS 7.8EG 7.82021-08-25
An unsafe deserialization vulnerability exists in the Engine.plugin ProfileInformation ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution…
- CVE-2021-21956HIGHCVSS 7.8EG 7.82022-04-14
A php unserialize vulnerability exists in the Ai-Bolit functionality of CloudLinux Inc Imunify360 5.10.2. A specially-crafted malformed file can lead to potential arbitrary command execution. An attacker can provide a malicious file to tri…
- CVE-2021-22095MEDIUMCVSS 6.5EG 6.52021-11-30
In Spring AMQP versions 2.2.0 - 2.2.19 and 2.3.0 - 2.3.11, the Spring AMQP Message object, in its toString() method, will create a new String object from the message body, regardless of its size. This can cause an OOM Error with a large me…
- CVE-2021-22097MEDIUMCVSS 6.5EG 6.52021-10-28
In Spring AMQP versions 2.2.0 - 2.2.18 and 2.3.0 - 2.3.10, the Spring AMQP Message object, in its toString() method, will deserialize a body for a message with content type application/x-java-serialized-object. It is possible to construct …
- CVE-2021-22439HIGHCVSS 8.1EG 8.12021-06-29
There is a deserialization vulnerability in Huawei AnyOffice V200R006C10. An attacker can construct a specific request to exploit this vulnerability. Successfully exploiting this vulnerability, the attacker can execute remote malicious cod…
- CVE-2021-22777HIGHCVSS 7.8EG 7.82021-07-21
A CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause code execution by opening a malicious project file.
- CVE-2021-22855CRITICALCVSS 9.8EG 9.82021-02-17
The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands.
- CVE-2021-23338MEDIUMCVSS 6.6EG 6.62021-02-15
This affects all versions of package qlib. The workflow function in cli part of qlib was using an unsafe YAML load function.
- CVE-2021-23420HIGHCVSS 7.7EG 7.72021-08-11
This affects the package codeception/codeception from 4.0.0 and before 4.1.22, before 3.1.3. The RunProcess class can be leveraged as a gadget to run arbitrary commands on a system that is deserializing user input without validation.
- CVE-2021-23592HIGHCVSS 7.7EG 7.72022-05-06
The package topthink/framework before 6.0.12 are vulnerable to Deserialization of Untrusted Data due to insecure unserialize method in the Driver class.
- CVE-2021-23758HIGHCVSS 8.1EG 9.02021-12-03
All versions of package ajaxpro.2 are vulnerable to Deserialization of Untrusted Data due to the possibility of deserialization of arbitrary .NET classes, which can be abused to gain remote code execution.
- CVE-2021-23894CRITICALCVSS 9.6EG 8.82021-06-02
Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote unauthenticated attacker to create a reverse shell with administrator privileges on the DBSec server via carefully construct…
- CVE-2021-23895CRITICALCVSS 9.0EG 8.02021-06-02
Deserialization of untrusted data vulnerability in McAfee Database Security (DBSec) prior to 4.8.2 allows a remote authenticated attacker to create a reverse shell with administrator privileges on the DBSec server via carefully constructed…
- CVE-2021-24040CRITICALCVSS 9.8EG 9.82021-09-10
Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v…
- CVE-2021-24066HIGHCVSS 8.8EG 8.82021-02-25
Microsoft SharePoint Remote Code Execution Vulnerability
- CVE-2021-24217HIGHCVSS 8.1EG 8.12021-04-12
The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method i…
- CVE-2021-24280HIGHCVSS 8.8EG 8.82021-05-14
In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, any authenticated user, such as a subscriber, could use the import_from_debug AJAX action to inject PHP objects.
- CVE-2021-24307HIGHCVSS 8.8EG 8.82021-05-24
The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying ho…
- CVE-2021-24384CRITICALCVSS 9.8EG 9.82021-07-06
The joomsport_md_load AJAX action of the JoomSport WordPress plugin before 5.1.8, registered for both unauthenticated and unauthenticated users, unserialised user input from the shattr POST parameter, leading to a PHP Object Injection issu…
- CVE-2021-24579HIGHCVSS 8.8EG 8.82021-08-30
The bt_bb_get_grid AJAX action of the Bold Page Builder WordPress plugin before 3.1.6 passes user input into the unserialize() function without any validation or sanitisation, which could lead to a PHP Object Injection. Even though the plu…
- CVE-2021-24857CRITICALCVSS 9.8EG 9.82021-12-13
The ToTop Link WordPress plugin through 1.7.1 passes base64 encoded user input to the unserialize() PHP function, which could lead to PHP Object injection if a plugin installed on the blog has a suitable gadget chain.
- CVE-2021-25151HIGHCVSS 8.8EG 8.82021-04-28
A remote insecure deserialization vulnerability was discovered in Aruba AirWave Management Platform version(s) prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability.
Map vulnerabilities like CWE-502 to your infrastructure
EchelonGraph correlates every CVE — across CWE-502 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →