CWE-502— Deserialization of Untrusted Data
2,468 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-502page 15 of 50
- CVE-2021-44678CRITICALCVSS 9.8EG 9.82021-12-06
An issue (2 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications…
- CVE-2021-44679CRITICALCVSS 9.8EG 9.82021-12-06
An issue (3 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications…
- CVE-2021-44680CRITICALCVSS 9.8EG 9.82021-12-06
An issue (4 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications…
- CVE-2021-44681CRITICALCVSS 9.8EG 9.82021-12-06
An issue (5 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications…
- CVE-2021-44682CRITICALCVSS 9.8EG 9.82021-12-06
An issue (6 of 6) was discovered in Veritas Enterprise Vault through 14.1.2. On start-up, the Enterprise Vault application starts several services that listen on random .NET Remoting TCP ports for possible commands from client applications…
- CVE-2021-45394HIGHCVSS 8.8EG 8.82022-01-18
An issue was discovered in Spipu HTML2PDF before 5.2.4. Attackers can trigger deserialization of arbitrary data via the injection of a malicious <link> tag in the converted HTML document.
- CVE-2021-45899CRITICALCVSS 9.8EG 9.82022-01-28
SuiteCRM before 7.12.3 and 8.x before 8.0.2 allows PHAR deserialization that can lead to remote code execution.
- CVE-2021-46364HIGHCVSS 7.8EG 7.82022-02-11
A vulnerability in the Snake YAML parser of Magnolia CMS v6.2.3 and below allows attackers to execute arbitrary code via a crafted YAML file.
- CVE-2022-0138HIGHCVSS 7.5EG 7.52022-02-18
MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior to v2.8.6.1, and PTMP C-series and A5x: Device versions prior to v2.5.4.1 has a deserialization function that does not validate or check the data, allowing arbitrary cl…
- CVE-2022-0538HIGHCVSS 7.5EG 7.52022-02-09
Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStream converters that have not been updated to apply the protections for the vulnerability CVE-2021-43859 and allow unconstrained resource usage.
- CVE-2022-0573HIGHCVSS 8.8EG 8.82022-05-16
JFrog Artifactory before 7.36.1 and 6.23.41, is vulnerable to Insecure Deserialization of untrusted data which can lead to DoS, Privilege Escalation and Remote Code Execution when a specially crafted request is sent by a low privileged aut…
- CVE-2022-0749HIGHCVSS 7.4EG 9.82022-03-17
This affects all versions of package SinGooCMS.Utility. The socket client in the package can pass in the payload via the user-controllable input after it has been established, because this socket client transmission does not have the appro…
- CVE-2022-1032HIGHCVSS 7.2EG 7.22022-03-29
Insecure deserialization of not validated module file in GitHub repository crater-invoice/crater prior to 6.0.6.
- CVE-2022-1118HIGHCVSS 8.6EG 7.82022-05-17
Connected Components Workbench (v13.00.00 and prior), ISaGRAF Workbench (v6.0 though v6.6.9), and Safety Instrumented System Workstation (v1.2 and prior (for Trusted Controllers)) do not limit the objects that can be deserialized. This all…
- CVE-2022-1415HIGHCVSS 8.1EG 8.12023-09-11
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve cod…
- CVE-2022-1463HIGHCVSS 8.8EG 8.82022-05-10
The Booking Calendar plugin for WordPress is vulnerable to PHP Object Injection via the [bookingflextimeline] shortcode in versions up to, and including, 9.1. This could be exploited by subscriber-level users and above to call arbitrary PH…
- CVE-2022-1471HIGHCVSS 8.3EG 9.02022-12-01
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor…
- CVE-2022-1660CRITICALCVSS 9.8EG 9.82022-06-02
The affected products are vulnerable of untrusted data due to deserialization without prior authorization/authentication, which may allow an attacker to remotely execute arbitrary code.
- CVE-2022-1984MEDIUMCVSS 4.5EG 7.82022-07-19
This issue affects: HYPR Windows WFA versions prior to 7.2; Unsafe Deserialization vulnerability in HYPR Workforce Access (WFA) before version 7.2 may allow local authenticated attackers to elevate privileges via a malicious serialized pay…
- CVE-2022-20195MEDIUMCVSS 5.0EG 5.02022-06-15
In the keystore library, there is a possible prevention of access to system Settings due to unsafe deserialization. This could lead to local denial of service with User execution privileges needed. User interaction is needed for exploitati…
- CVE-2022-20763MEDIUMCVSS 5.4EG 8.82022-04-06
A vulnerability in the login authorization components of Cisco Webex Meetings could allow an authenticated, remote attacker to inject arbitrary Java code. This vulnerability is due to improper deserialization of Java code within login requ…
- CVE-2022-21341MEDIUMCVSS 5.3EG 5.32022-01-19
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise …
- CVE-2022-21445CRITICALCVSS 9.8EG 9.8⚠ KEV2022-04-19
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows u…
- CVE-2022-21549MEDIUMCVSS 5.3EG 5.32022-07-19
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.3.1; Oracle GraalVM Enterprise Edition: 21.3.2 and 22.1.…
- CVE-2022-21624LOWCVSS 3.7EG 3.72022-10-18
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterpr…
- CVE-2022-21647HIGHCVSS 7.7EG 7.72022-01-04
CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possi…
- CVE-2022-21663MEDIUMCVSS 6.6EG 6.62022-01-06
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object i…
- CVE-2022-21828HIGHCVSS 7.2EG 7.22022-03-04
A user with high privilege access to the Incapptic Connect web console can remotely execute code on the Incapptic Connect server using a unspecified attack vector in Incapptic Connect version 1.40.0, 1.39.1, 1.39.0, 1.38.1, 1.38.0, 1.37.1,…
- CVE-2022-22005HIGHCVSS 8.8EG 8.82022-02-09
Microsoft SharePoint Server Remote Code Execution Vulnerability
- CVE-2022-22241HIGHCVSS 8.1EG 8.12022-10-18
An Improper Input Validation vulnerability in the J-Web component of Juniper Networks Junos OS may allow an unauthenticated attacker to access data without proper authorization. Utilizing a crafted POST request, deserialization may occur w…
- CVE-2022-22957HIGHCVSS 7.2EG 7.22022-04-13
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untruste…
- CVE-2022-22958HIGHCVSS 7.2EG 7.22022-04-13
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untruste…
- CVE-2022-23302HIGHCVSS 8.8EG 8.82022-01-18
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attack…
- CVE-2022-23307HIGHCVSS 8.8EG 9.82022-01-18
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
- CVE-2022-23450CRITICALCVSS 9.8EG 9.82022-04-12
A vulnerability has been identified in SIMATIC Energy Manager Basic (All versions < V7.3 Update 1), SIMATIC Energy Manager PRO (All versions < V7.3 Update 1). The affected system allows remote users to send maliciously crafted objects. Due…
- CVE-2022-23535HIGHCVSS 7.3EG 7.32023-02-24
LiteDB is a small, fast and lightweight .NET NoSQL embedded database. Versions prior to 5.0.13 are subject to Deserialization of Untrusted Data. LiteDB uses a special field in JSON documents to cast different types from `BsonDocument` to P…
- CVE-2022-23734HIGHCVSS 8.8EG 8.82022-10-19
A deserialization of untrusted data vulnerability was identified in GitHub Enterprise Server that could potentially lead to remote code execution on the SVNBridge. To exploit this vulnerability, an attacker would need to gain access via a …
- CVE-2022-23940HIGHCVSS 8.8EG 8.82022-03-10
SuiteCRM through 7.12.1 and 8.x through 8.0.1 allows Remote Code Execution. Authenticated users with access to the Scheduled Reports module can achieve this by leveraging PHP deserialization in the email_recipients property. By using a cra…
- CVE-2022-24082CRITICALCVSS 9.8EG 9.82022-07-19
If an on-premise installation of the Pega Platform is configured with the port for the JMX interface exposed to the Internet and port filtering is not properly configured, then it may be possible to upload serialized payloads to attack the…
- CVE-2022-24108CRITICALCVSS 9.8EG 9.82022-05-17
The Skyoftech So Listing Tabs module 2.2.0 for OpenCart allows a remote attacker to inject a serialized PHP object via the setting parameter, potentially resulting in the ability to write to files on the server, cause DoS, and achieve remo…
- CVE-2022-24282HIGHCVSS 7.2EG 7.22022-03-08
A vulnerability has been identified in SINEC NMS (All versions >= V1.0.3 < V2.0), SINEC NMS (All versions < V1.0.3), SINEMA Server V14 (All versions). The affected system allows to upload JSON objects that are deserialized to Java objects.…
- CVE-2022-24289HIGHCVSS 8.8EG 8.82022-02-11
Hessian serialization is a network protocol that supports object-based transmission. Apache Cayenne's optional Remote Object Persistence (ROP) feature is a web services-based technology that provides object persistence and query functional…
- CVE-2022-2433HIGHCVSS 7.5EG 8.82022-09-06
The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to deserialization of untrusted input via the 'alm_repeaters_export' parameter in versions up to, and including 5.5.3. This makes it possible for unauthent…
- CVE-2022-2434HIGHCVSS 8.8EG 8.82022-09-06
The String Locator plugin for WordPress is vulnerable to deserialization of untrusted input via the 'string-locator-path' parameter in versions up to, and including 2.5.0. This makes it possible for unauthenticated users to call files usin…
- CVE-2022-2436HIGHCVSS 8.8EG 8.82022-09-06
The Download Manager plugin for WordPress is vulnerable to deserialization of untrusted input via the 'file[package_dir]' parameter in versions up to, and including 3.2.49. This makes it possible for authenticated attackers with contributo…
- CVE-2022-2437CRITICALCVSS 9.8EG 9.82022-07-18
The Feed Them Social – for Twitter feed, Youtube and more plugin for WordPress is vulnerable to deserialization of untrusted input via the 'fts_url' parameter in versions up to, and including 2.9.8.5. This makes it possible for unauthent…
- CVE-2022-2438HIGHCVSS 7.2EG 7.22022-09-06
The Broken Link Checker plugin for WordPress is vulnerable to deserialization of untrusted input via the '$log_file' value in versions up to, and including 1.11.16. This makes it possible for authenticated attackers with administrative pri…
- CVE-2022-2439HIGHCVSS 7.2EG 7.22024-09-24
The Easy Digital Downloads – Simple eCommerce for Selling Digital Files plugin for WordPress is vulnerable to deserialization of untrusted input via the 'upload[file]' parameter in versions up to, and including 3.3.3. This makes it possi…
- CVE-2022-2440HIGHCVSS 7.2EG 7.22024-08-29
The Theme Editor plugin for WordPress is vulnerable to deserialization of untrusted input via the 'images_array' parameter in versions up to, and including 2.8. This makes it possible for authenticated attackers with administrative privile…
- CVE-2022-2442HIGHCVSS 7.2EG 7.22022-09-06
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to deserialization of untrusted input via the 'path' parameter in versions up to, and including 0.9.74. This makes it possible for authenticated attackers with…
Map vulnerabilities like CWE-502 to your infrastructure
EchelonGraph correlates every CVE — across CWE-502 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →