CWE-502— Deserialization of Untrusted Data
2,474 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-502page 40 of 50
- CVE-2025-42980CRITICALCVSS 9.1EG 9.12025-07-08
SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and ava…
- CVE-2025-42999CRITICALCVSS 9.1EG 9.1⚠ KEV2025-05-13
SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability…
- CVE-2025-43489MEDIUMCVSS 5.2EG 5.22025-07-23
A potential security vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.1. The vulnerability could deserialize untrusted data without validation. HP has addressed the issue in the latest software upda…
- CVE-2025-43713MEDIUMCVSS 6.5EG 6.52025-07-03
ASNA Assist and ASNA Registrar before 2025-03-31 allow deserialization attacks against .NET remoting. These are Windows system services that support license key management and deprecated Windows network authentication. The services are imp…
- CVE-2025-43846CRITICALCVSS 9.8EG 9.82025-05-05
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_path1 variable takes user input (e.g. a path to a model) and passes …
- CVE-2025-43847CRITICALCVSS 9.8EG 9.82025-05-05
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_path2 variable takes user input (e.g. a path to a model) and passes …
- CVE-2025-43848CRITICALCVSS 9.8EG 9.82025-05-05
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_path0 variable takes user input (e.g. a path to a model) and passes …
- CVE-2025-43849CRITICALCVSS 9.8EG 9.82025-05-05
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_a and cpkt_b variables take user input (e.g. a path to a model) and …
- CVE-2025-43850CRITICALCVSS 9.8EG 9.82025-05-05
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The ckpt_dir variable takes user input (e.g. a path to a model) and passes it…
- CVE-2025-43851CRITICALCVSS 9.8EG 9.82025-05-05
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The model_choose variable takes user input (e.g. a path to a model) and passes…
- CVE-2025-43852CRITICALCVSS 9.8EG 9.82025-05-05
Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. Versions 2.2.231006 and prior are vulnerable to unsafe deserialization. The model_choose variable takes user input (e.g. a path to a model) and passes…
- CVE-2025-4393MEDIUMCVSS 6.5EG 6.52025-07-24
Medtronic MyCareLink Patient Monitor has an internal service that deserializes data, which allows a local attacker to interact with the service by crafting a binary payload to crash the service or elevate privileges. This issue affects M…
- CVE-2025-43960HIGHCVSS 8.6EG 8.62025-08-25
Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trig…
- CVE-2025-45146CRITICALCVSS 9.8EG 9.82025-08-11
ModelCache for LLM through v0.2.0 was discovered to contain an deserialization vulnerability via the component /manager/data_manager.py. This vulnerability allows attackers to execute arbitrary code via supplying crafted data.
- CVE-2025-46183HIGHCVSS 8.2EG 8.22025-10-24
The Utils.deserialize function in pgCodeKeeper 10.12.0 processes serialized data from untrusted sources. If an attacker provides a specially crafted .ser file, deserialization may result in unintended code execution or other malicious beha…
- CVE-2025-46473HIGHCVSS 7.2EG 7.22025-04-24
Deserialization of Untrusted Data vulnerability in Prisna Social Counter social-counter allows Object Injection.This issue affects Social Counter: from n/a through <= 2.0.5.
- CVE-2025-46481HIGHCVSS 7.2EG 7.22025-04-24
Deserialization of Untrusted Data vulnerability in Michael Cannon Flickr Shortcode Importer flickr-shortcode-importer allows Object Injection.This issue affects Flickr Shortcode Importer: from n/a through <= 2.2.3.
- CVE-2025-46567MEDIUMCVSS 6.1EG 6.12025-05-01
LLama Factory enables fine-tuning of large language models. Prior to version 1.0.0, a critical vulnerability exists in the `llamafy_baichuan2.py` script of the LLaMA-Factory project. The script performs insecure deserialization using `torc…
- CVE-2025-46738MEDIUMCVSS 6.6EG 6.62025-05-12
An authenticated attacker can maliciously modify layout data files in the SEL-5033 installation directory to execute arbitrary code.
- CVE-2025-4701MEDIUMCVSS 5.3EG 5.32025-05-15
A vulnerability, which was classified as problematic, has been found in VITA-MLLM Freeze-Omni up to 20250421. This issue affects the function torch.load of the file models/utils.py. The manipulation of the argument path leads to deserializ…
- CVE-2025-47163HIGHCVSS 8.8EG 8.82025-06-10
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- CVE-2025-47166HIGHCVSS 8.8EG 8.82025-06-10
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- CVE-2025-47277CRITICALCVSS 9.8EG 9.82025-05-20
vLLM, an inference and serving engine for large language models (LLMs), has an issue in versions 0.6.5 through 0.8.4 that ONLY impacts environments using the `PyNcclPipe` KV cache transfer integration with the V0 engine. No other configura…
- CVE-2025-47292CRITICALCVSS 9.5EG 0.02025-05-14
Cap Collectif is an online decision making platform that integrates several tools. Before commit 812f2a7d271b76deab1175bdaf2be0b8102dd198, the `DebateAlternateArgumentsResolver` deserializes a `Cursor`, allowing any classes and which can b…
- CVE-2025-4740MEDIUMCVSS 5.3EG 5.32025-05-16
A vulnerability was found in BeamCtrl Airiana up to 11.0. It has been declared as problematic. This vulnerability affects unknown code of the file coef. The manipulation leads to deserialization. The attack needs to be approached locally. …
- CVE-2025-4742MEDIUMCVSS 5.3EG 5.32025-05-16
A vulnerability classified as problematic has been found in XU-YIJIE grpo-flat up to 9024b43f091e2eb9bac65802b120c0b35f9ba856. Affected is the function main of the file grpo_vanilla.py. The manipulation leads to deserialization. Local acce…
- CVE-2025-47530CRITICALCVSS 9.8EG 9.82025-05-23
Deserialization of Untrusted Data vulnerability in WPFunnels WPFunnels wpfunnels allows Object Injection.This issue affects WPFunnels: from n/a through <= 3.5.18.
- CVE-2025-47532CRITICALCVSS 9.8EG 9.82025-05-23
Deserialization of Untrusted Data vulnerability in CoinPayments CoinPayments.net Payment Gateway for WooCommerce coinpayments-payment-gateway-for-woocommerce allows Object Injection.This issue affects CoinPayments.net Payment Gateway for W…
- CVE-2025-47536HIGHCVSS 7.2EG 7.22025-08-14
Deserialization of Untrusted Data vulnerability in keywordrush Content Egg content-egg allows Object Injection.This issue affects Content Egg: from n/a through <= 7.0.0.
- CVE-2025-47552CRITICALCVSS 9.8EG 9.82026-01-07
Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.37.
- CVE-2025-47553HIGHCVSS 8.8EG 8.82026-01-06
Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.25.
- CVE-2025-47568CRITICALCVSS 9.8EG 9.82025-05-23
Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds dzs-zoomsounds allows Object Injection.This issue affects ZoomSounds: from n/a through <= 6.91.
- CVE-2025-47579CRITICALCVSS 9.0EG 9.02025-09-09
Deserialization of Untrusted Data vulnerability in ThemeGoods Photography photography allows Object Injection.This issue affects Photography: from n/a through <= 7.7.2.
- CVE-2025-47581CRITICALCVSS 9.8EG 9.82025-05-19
Deserialization of Untrusted Data vulnerability in elbisnero WordPress Events Calendar Registration & Tickets wpeventplus allows Object Injection.This issue affects WordPress Events Calendar Registration & Tickets: from n/a through <= 2.6.…
- CVE-2025-47582CRITICALCVSS 9.8EG 9.82025-05-19
Deserialization of Untrusted Data vulnerability in QuantumCloud WPBot Pro Wordpress Chatbot allows Object Injection.This issue affects WPBot Pro Wordpress Chatbot: from n/a through 12.7.0.
- CVE-2025-47584HIGHCVSS 8.5EG 8.52025-06-06
Deserialization of Untrusted Data vulnerability in ThemeGoods Photography.This issue affects Photography: from n/a through 7.5.2.
- CVE-2025-47629HIGHCVSS 7.2EG 7.22025-05-07
Deserialization of Untrusted Data vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Object Injection.This issue affects WP-CRM System: from n/a through <= 3.4.5.
- CVE-2025-47660HIGHCVSS 8.8EG 8.82025-05-23
Deserialization of Untrusted Data vulnerability in Codexpert, Inc WC Affiliate wc-affiliate allows Object Injection.This issue affects WC Affiliate: from n/a through <= 2.16.
- CVE-2025-47683HIGHCVSS 7.2EG 7.22025-05-07
Deserialization of Untrusted Data vulnerability in Florent Maillefaud WP Maintenance wp-maintenance allows Object Injection.This issue affects WP Maintenance: from n/a through <= 6.1.9.7.
- CVE-2025-47732HIGHCVSS 8.7EG 8.72025-05-08
Deserialization of untrusted data in Microsoft Dataverse allows an authorized attacker to execute code over a network.
- CVE-2025-47771HIGHCVSS 8.1EG 0.02025-06-20
PowSyBl (Power System Blocks) is a framework to build power system oriented software. In versions 6.3.0 to 6.7.1, there is a deserialization issue in the read method of the SparseMatrix class that can lead to a wide range of privilege esca…
- CVE-2025-47784CRITICALCVSS 9.8EG 9.82025-05-15
Emlog is an open source website building system. Versions 2.5.13 and prior have a deserialization vulnerability. A user who creates a carefully crafted nickname can cause `str_replace` to replace the value of `name_orig` with empty, causin…
- CVE-2025-47994HIGHCVSS 7.8EG 7.82025-07-08
Deserialization of untrusted data in Microsoft Office allows an unauthorized attacker to elevate privileges locally.
- CVE-2025-48018HIGHCVSS 7.5EG 7.52025-05-20
An authenticated user can modify application state data.
- CVE-2025-4803HIGHCVSS 7.2EG 7.22025-05-21
The Glossary by WPPedia – Best Glossary plugin for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.0 via deserialization of untrusted input from the 'posttypes' parameter. Th…
- CVE-2025-48086MEDIUMCVSS 5.5EG 9.82025-11-06
Deserialization of Untrusted Data vulnerability in wpdreams Ajax Search Lite ajax-search-lite allows Object Injection.This issue affects Ajax Search Lite: from n/a through <= 4.13.3.
- CVE-2025-48101HIGHCVSS 8.8EG 8.82025-09-09
Deserialization of Untrusted Data vulnerability in webdevstudios Constant Contact for WordPress allows Object Injection. This issue affects Constant Contact for WordPress: from n/a through 4.1.1.
- CVE-2025-48134HIGHCVSS 7.2EG 7.22025-05-16
Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC WP Tabs wp-expand-tabs-free allows Object Injection.This issue affects WP Tabs: from n/a through <= 2.2.12.
- CVE-2025-48200CRITICALCVSS 10.0EG 10.02025-05-21
The sr_feuser_register extension through 12.4.8 for TYPO3 allows Remote Code Execution.
- CVE-2025-48287CRITICALCVSS 9.8EG 9.82025-05-23
Deserialization of Untrusted Data vulnerability in Pagaleve Pix 4x sem juros - Pagaleve wc-pagaleve allows Object Injection.This issue affects Pix 4x sem juros - Pagaleve: from n/a through <= 1.6.9.
Map vulnerabilities like CWE-502 to your infrastructure
EchelonGraph correlates every CVE — across CWE-502 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →