CWE-502— Deserialization of Untrusted Data
2,472 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-502page 32 of 50
- CVE-2024-52411CRITICALCVSS 9.8EG 9.82024-11-16
Deserialization of Untrusted Data vulnerability in flowcraft Advanced Personalization personalization-by-flowcraft allows Object Injection.This issue affects Advanced Personalization: from n/a through <= 1.1.2.
- CVE-2024-52412CRITICALCVSS 9.8EG 9.82024-11-16
Deserialization of Untrusted Data vulnerability in Stephen Cui Xin allows Object Injection.This issue affects Xin: from n/a through 1.0.8.1.
- CVE-2024-52413CRITICALCVSS 9.8EG 9.82024-11-16
Deserialization of Untrusted Data vulnerability in dmcwebzone Airin Blog airin-blog allows Object Injection.This issue affects Airin Blog: from n/a through <= 1.6.1.
- CVE-2024-52414CRITICALCVSS 9.8EG 9.82024-11-16
Deserialization of Untrusted Data vulnerability in Anthony Carbon WDES Responsive Mobile Menu wdes-responsive-mobile-menu allows Object Injection.This issue affects WDES Responsive Mobile Menu: from n/a through <= 5.3.18.
- CVE-2024-52430CRITICALCVSS 9.8EG 9.82024-11-18
Deserialization of Untrusted Data vulnerability in bublick Lis Video Gallery lis-video-gallery allows Object Injection.This issue affects Lis Video Gallery: from n/a through <= 0.2.1.
- CVE-2024-52432CRITICALCVSS 9.8EG 9.82024-11-18
Deserialization of Untrusted Data vulnerability in NIX Solutions Ltd NIX Anti-Spam Light nix-anti-spam-light allows Object Injection.This issue affects NIX Anti-Spam Light: from n/a through <= 0.0.4.
- CVE-2024-52433CRITICALCVSS 9.8EG 9.82024-11-18
Deserialization of Untrusted Data vulnerability in Mindstien Technologies My Geo Posts Free my-geo-posts-free allows Object Injection.This issue affects My Geo Posts Free: from n/a through <= 1.2.
- CVE-2024-52439CRITICALCVSS 9.8EG 9.82024-11-20
Deserialization of Untrusted Data vulnerability in Mark O'Donnell Team Rosters team-rosters allows Object Injection.This issue affects Team Rosters: from n/a through <= 4.8.2.
- CVE-2024-52440CRITICALCVSS 9.8EG 9.82024-11-20
Deserialization of Untrusted Data vulnerability in xpresslane Xpresslane Fast Checkout xpresslane-integration-for-woocommerce allows Object Injection.This issue affects Xpresslane Fast Checkout: from n/a through <= 1.0.0.
- CVE-2024-52443CRITICALCVSS 9.8EG 9.82024-11-20
Deserialization of Untrusted Data vulnerability in masikonis Geolocator geolocator allows Object Injection.This issue affects Geolocator: from n/a through <= 1.1.
- CVE-2024-52445HIGHCVSS 8.8EG 8.82024-11-20
Deserialization of Untrusted Data vulnerability in ModelTheme QRMenu Restaurant QR Menu Lite qrmenu-lite allows Object Injection.This issue affects QRMenu Restaurant QR Menu Lite: from n/a through <= 1.0.4.
- CVE-2024-52577CRITICALCVSS 9.0EG 9.02025-02-14
In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulner…
- CVE-2024-53247HIGHCVSS 8.8EG 8.82024-12-10
In Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7, and versions below 3.4.261 and 3.7.13 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk ro…
- CVE-2024-53326HIGHCVSS 7.3EG 7.32026-05-08
LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution.
- CVE-2024-5335CRITICALCVSS 9.8EG 9.82024-08-21
The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the…
- CVE-2024-53477CRITICALCVSS 9.8EG 9.82024-12-02
JFinal CMS 5.1.0 is vulnerable to Command Execution via unauthorized execution of deserialization in the file ApiForm.java
- CVE-2024-5351MEDIUMCVSS 6.3EG 6.32024-05-26
A vulnerability was found in anji-plus AJ-Report up to 1.4.1. It has been declared as critical. Affected by this vulnerability is the function getValueFromJs of the component Javascript Handler. The manipulation leads to deserialization. T…
- CVE-2024-5352MEDIUMCVSS 6.3EG 6.32024-05-26
A vulnerability was found in anji-plus AJ-Report up to 1.4.1. It has been rated as critical. Affected by this issue is the function validationRules of the component com.anjiplus.template.gaea.business.modules.datasetparam.controller.DataSe…
- CVE-2024-53673HIGHCVSS 8.1EG 8.12024-11-26
A java deserialization vulnerability in HPE Remote Insight Support may allow an unauthenticated attacker to execute code.
- CVE-2024-53909CRITICALCVSS 9.8EG 9.82024-11-24
An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24334. It allows remote attackers to execute arbitrary code because untrusted data, received on a .NET Remoting TCP port, is deserialized.
- CVE-2024-53910CRITICALCVSS 9.8EG 9.82024-11-24
An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24336. It allows remote attackers to execute arbitrary code because untrusted data, received on a .NET Remoting TCP port, is deserialized.
- CVE-2024-53911CRITICALCVSS 9.8EG 9.82024-11-24
An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24339. It allows remote attackers to execute arbitrary code because untrusted data, received on a .NET Remoting TCP port, is deserialized.
- CVE-2024-53912CRITICALCVSS 9.8EG 9.82024-11-24
An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24341. It allows remote attackers to execute arbitrary code because untrusted data, received on a .NET Remoting TCP port, is deserialized.
- CVE-2024-53913CRITICALCVSS 9.8EG 9.82024-11-24
An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24343. It allows remote attackers to execute arbitrary code because untrusted data, received on a .NET Remoting TCP port, is deserialized.
- CVE-2024-53914CRITICALCVSS 9.8EG 9.82024-11-24
An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24344. It allows remote attackers to execute arbitrary code because untrusted data, received on a .NET Remoting TCP port, is deserialized.
- CVE-2024-53915CRITICALCVSS 9.8EG 9.82024-11-24
An issue was discovered in the server in Veritas Enterprise Vault before 15.2, ZDI-CAN-24405. It allows remote attackers to execute arbitrary code because untrusted data, received on a .NET Remoting TCP port, is deserialized.
- CVE-2024-54135CRITICALCVSS 9.8EG 9.82024-12-06
ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 2.0 to Version 5.5.1 Revision 199 are vulnerable to PHP Deserialization vulnerability. The vulnerability exists in upload/photo_upload.php within the decode_…
- CVE-2024-54136CRITICALCVSS 9.8EG 9.82024-12-06
ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 5.5.1 Revision 199 and below is vulnerable to PHP Deserialization vulnerability. The vulnerability exists in upload/upload.php where the user supplied input v…
- CVE-2024-54273CRITICALCVSS 9.8EG 9.82024-12-13
Deserialization of Untrusted Data vulnerability in PickPlugins Mail Picker mail-picker allows Object Injection.This issue affects Mail Picker: from n/a through <= 1.0.14.
- CVE-2024-54282HIGHCVSS 7.2EG 7.22024-12-13
Deserialization of Untrusted Data vulnerability in Themeum WP Mega Menu wp-megamenu allows Object Injection.This issue affects WP Mega Menu: from n/a through <= 1.4.2.
- CVE-2024-54367CRITICALCVSS 9.8EG 9.82024-12-16
Deserialization of Untrusted Data vulnerability in Ultimate Member ForumWP forumwp allows Object Injection.This issue affects ForumWP: from n/a through <= 2.1.0.
- CVE-2024-54676CRITICALCVSS 9.8EG 9.82025-01-08
Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists fo…
- CVE-2024-54678HIGHCVSS 8.2EG 8.22025-08-12
A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions), SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 V17 (All versions < V17 Update 9), S…
- CVE-2024-5488CRITICALCVSS 9.8EG 9.82024-07-09
The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, comprom…
- CVE-2024-55555HIGHCVSS 8.8EG 8.82025-01-07
Invoice Ninja before 5.10.43 allows remote code execution from a pre-authenticated route when an attacker knows the APP_KEY. This is exacerbated by .env files, available from the product's repository, that have default APP_KEY values. The …
- CVE-2024-55556CRITICALCVSS 9.8EG 9.82025-01-07
A vulnerability in Crater Invoice allows an unauthenticated attacker with knowledge of the APP_KEY to achieve remote command execution on the server by manipulating the laravel_session cookie, exploiting arbitrary deserialization through t…
- CVE-2024-55636CRITICALCVSS 9.8EG 9.82024-12-10
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of method…
- CVE-2024-55637CRITICALCVSS 9.8EG 9.82024-12-10
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. Drupal core contains a chain of method…
- CVE-2024-55638CRITICALCVSS 9.8EG 9.82024-12-10
Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. Drupal core contains a chain of methods th…
- CVE-2024-5579HIGHCVSS 7.2EG 7.22024-11-22
Allegra renderFieldMatch Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Allegra. Authentication is required to exploi…
- CVE-2024-5580HIGHCVSS 7.2EG 7.22024-11-22
Allegra loadFieldMatch Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Allegra. Authentication is required to exploit …
- CVE-2024-56058CRITICALCVSS 9.8EG 9.82024-12-18
Deserialization of Untrusted Data vulnerability in denniskravetstns VRPConnector vrpconnector allows Object Injection.This issue affects VRPConnector: from n/a through <= 2.0.1.
- CVE-2024-56068HIGHCVSS 7.5EG 7.52024-12-31
Deserialization of Untrusted Data vulnerability in azzaroco WP SuperBackup indeed-wp-superbackup.This issue affects WP SuperBackup: from n/a through <= 2.3.3.
- CVE-2024-56180CRITICALCVSS 9.8EG 9.82025-02-14
CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote co…
- CVE-2024-56283HIGHCVSS 8.1EG 8.12025-01-07
Deserialization of Untrusted Data vulnerability in plainware Locatoraid Store Locator locatoraid allows Object Injection.This issue affects Locatoraid Store Locator: from n/a through <= 3.9.50.
- CVE-2024-56291HIGHCVSS 8.1EG 8.12025-01-07
Deserialization of Untrusted Data vulnerability in plainware PlainInventory z-inventory-manager allows Object Injection.This issue affects PlainInventory: from n/a through <= 3.1.6.
- CVE-2024-5649MEDIUMCVSS 5.4EG 5.42024-06-19
The Universal Slider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.5 via deserialization of untrusted input 'fsl_get_gallery_value' function. This makes it possible for authenticated a…
- CVE-2024-56515MEDIUMCVSS 6.8EG 6.82025-01-16
Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. If SVG or JPEGXL thumbnailers are enabled (they are disabled by default), a user may upload a file which claims to be either of these types and …
- CVE-2024-5671CRITICALCVSS 9.8EG 9.82024-06-14
Insecure Deserialization in some workflows of the IPS Manager allows unauthenticated remote attackers to perform arbitrary code execution and access to the vulnerable Trellix IPS Manager.
- CVE-2024-5675CRITICALCVSS 10.0EG 10.02024-06-06
Untrusted data deserialization vulnerability has been found in Mentor - Employee Portal, affecting version 3.83.35. This vulnerability could allow an attacker to execute arbitrary code, by injecting a malicious payload into the “ViewStat…
Map vulnerabilities like CWE-502 to your infrastructure
EchelonGraph correlates every CVE — across CWE-502 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →