CWE-502— Deserialization of Untrusted Data
2,475 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-502page 44 of 50
- CVE-2025-60174CRITICALCVSS 9.8EG 9.82025-12-18
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Constant Contact Plugin gf-constant-contact allows Object Injection.This issue affects WP Gravity Forms Constant Contact Plugin: from n/a through <= 1.1.2.
- CVE-2025-60178CRITICALCVSS 9.8EG 9.82025-12-18
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms HubSpot gf-hubspot allows Object Injection.This issue affects WP Gravity Forms HubSpot: from n/a through <= 1.2.6.
- CVE-2025-60180CRITICALCVSS 9.8EG 9.82025-12-18
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Salesforce gf-salesforce-crmperks allows Object Injection.This issue affects WP Gravity Forms Salesforce: from n/a through <= 1.5.1.
- CVE-2025-60209CRITICALCVSS 9.8EG 8.22025-10-22
Deserialization of Untrusted Data vulnerability in CRM Perks Connector for Gravity Forms and Google Sheets wp-gravity-forms-spreadsheets allows Object Injection.This issue affects Connector for Gravity Forms and Google Sheets: from n/a thr…
- CVE-2025-60210CRITICALCVSS 9.8EG 6.52025-10-22
Deserialization of Untrusted Data vulnerability in wpeverest Everest Forms - Frontend Listing everest-forms-frontend-listing allows Object Injection.This issue affects Everest Forms - Frontend Listing: from n/a through <= 1.0.5.
- CVE-2025-60212HIGHCVSS 8.8EG 8.82025-10-22
Deserialization of Untrusted Data vulnerability in designthemes VEDA veda allows Object Injection.This issue affects VEDA: from n/a through <= 4.2.
- CVE-2025-60213CRITICALCVSS 9.8EG 9.82025-10-22
Deserialization of Untrusted Data vulnerability in Whitebox-Studio Scape scape allows Object Injection.This issue affects Scape: from n/a through <= 1.5.13.
- CVE-2025-60214CRITICALCVSS 9.8EG 9.82025-10-22
Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt goldenblatt allows Object Injection.This issue affects Goldenblatt: from n/a through < 1.3.0.
- CVE-2025-60215HIGHCVSS 8.8EG 5.32025-10-22
Deserialization of Untrusted Data vulnerability in designthemes Kriya kriya allows Object Injection.This issue affects Kriya: from n/a through <= 3.4.
- CVE-2025-60216CRITICALCVSS 9.8EG 5.32025-10-22
Deserialization of Untrusted Data vulnerability in BoldThemes Addison addison allows Object Injection.This issue affects Addison: from n/a through < 1.4.8.
- CVE-2025-60221CRITICALCVSS 9.8EG 6.52025-10-22
Deserialization of Untrusted Data vulnerability in captivateaudio Captivate Sync captivatesync-trade allows Object Injection.This issue affects Captivate Sync: from n/a through <= 3.0.3.
- CVE-2025-60224CRITICALCVSS 9.8EG 6.52025-10-22
Deserialization of Untrusted Data vulnerability in wpshuffle Subscribe to Download subscribe-to-download allows Object Injection.This issue affects Subscribe to Download: from n/a through <= 2.0.9.
- CVE-2025-60225CRITICALCVSS 9.8EG 9.82025-10-22
Deserialization of Untrusted Data vulnerability in AncoraThemes BugsPatrol bugspatrol allows Object Injection.This issue affects BugsPatrol: from n/a through <= 1.5.0.
- CVE-2025-60226CRITICALCVSS 9.8EG 9.82025-10-22
Deserialization of Untrusted Data vulnerability in axiomthemes White Rabbit whiterabbit allows Object Injection.This issue affects White Rabbit: from n/a through <= 1.5.2.
- CVE-2025-60228HIGHCVSS 8.8EG 8.82025-10-22
Deserialization of Untrusted Data vulnerability in designthemes Knowledge Base kbase allows Object Injection.This issue affects Knowledge Base: from n/a through <= 2.9.
- CVE-2025-60232CRITICALCVSS 9.8EG 9.82025-10-22
Deserialization of Untrusted Data vulnerability in quantumcloud KBx Pro Ultimate knowledgebase-helpdesk-pro allows Object Injection.This issue affects KBx Pro Ultimate: from n/a through <= 8.0.5.
- CVE-2025-60234HIGHCVSS 8.8EG 8.82025-10-22
Deserialization of Untrusted Data vulnerability in designthemes Single Property single-property allows Object Injection.This issue affects Single Property: from n/a through <= 2.8.
- CVE-2025-60238CRITICALCVSS 9.8EG 9.82025-10-22
Deserialization of Untrusted Data vulnerability in universam UNIVERSAM universam-demo allows Object Injection.This issue affects UNIVERSAM: from n/a through <= 9.04.02.
- CVE-2025-60245CRITICALCVSS 9.8EG 9.82025-11-06
Deserialization of Untrusted Data vulnerability in WP User Manager WP User Manager wp-user-manager allows Object Injection.This issue affects WP User Manager: from n/a through <= 2.9.12.
- CVE-2025-60455HIGHCVSS 8.4EG 8.42025-11-18
Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code.
- CVE-2025-60828MEDIUMCVSS 6.5EG 6.52025-10-08
WukongCRM-9.0-JAVA was discovered to contain a fastjson deserialization vulnerability via the /OaExamine/setOaExamine interface.
- CVE-2025-60830MEDIUMCVSS 6.5EG 6.52025-10-08
redragon-erp v1.0 was discovered to contain a Shiro deserialization vulnerability caused by the default Shiro key.
- CVE-2025-60834MEDIUMCVSS 6.5EG 6.52025-10-08
A fastjson deserialization vulnerability in uzy-ssm-mall v1.1.0 allows attackers to execute arbitrary code via supplying a crafted input.
- CVE-2025-60887MEDIUMCVSS 5.3EG 5.32026-04-28
An issue was discovered in Cista v0.15 and below. Insecure deserialization of untrusted input under certain conditions may lead to leaking of stack/heap addresses which may be used to bypass ASLR. Classes with pointer-like mechanics under …
- CVE-2025-60889CRITICALCVSS 9.8EG 9.82026-04-28
Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts.
- CVE-2025-61168CRITICALCVSS 9.8EG 9.82025-11-25
An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file.
- CVE-2025-61505MEDIUMCVSS 6.5EG 6.52025-10-10
e107 CMS thru 2.3.3 are vulnerable to insecure deserialization in the `install.php` script. The script processes user-controlled input in the `previous_steps` POST parameter using `unserialize(base64_decode())` without validation, allowing…
- CVE-2025-61622CRITICALCVSS 9.8EG 9.82025-10-01
Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions from 0.1.0 through 0.10.3: allows arbitrary code execution. An application is vulnerable if it reads pyfory serialized…
- CVE-2025-61677LOWCVSS 2.5EG 2.52025-10-03
DataChain is a Python-based AI-data warehouse for transforming and analyzing unstructured data. Versions 0.34.1 and below allow for deseriaization of untrusted data because of the way the DataChain library reads serialized objects from env…
- CVE-2025-61765MEDIUMCVSS 6.4EG 6.42025-10-06
python-socketio is a Python implementation of the Socket.IO realtime client and server. A remote code execution vulnerability in python-socketio versions prior to 5.14.0 allows attackers to execute arbitrary Python code through malicious p…
- CVE-2025-61810HIGHCVSS 8.4EG 8.42025-12-10
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high privileged attacker could e…
- CVE-2025-61880HIGHCVSS 8.8EG 8.82026-02-12
In Infoblox NIOS through 9.0.7, insecure deserialization can result in remote code execution.
- CVE-2025-62008HIGHCVSS 8.8EG 8.82025-10-22
Deserialization of Untrusted Data vulnerability in acowebs Product Table For WooCommerce product-table-for-woocommerce.This issue affects Product Table For WooCommerce: from n/a through <= 1.2.4.
- CVE-2025-62025CRITICALCVSS 9.8EG 9.82025-10-22
Deserialization of Untrusted Data vulnerability in eyecix JobSearch wp-jobsearch.This issue affects JobSearch: from n/a through < 3.0.8.
- CVE-2025-62035HIGHCVSS 8.8EG 8.82025-11-06
Deserialization of Untrusted Data vulnerability in uxper Togo togo.This issue affects Togo: from n/a through < 1.0.4.
- CVE-2025-62164HIGHCVSS 8.8EG 8.82025-11-21
vLLM is an inference and serving engine for large language models (LLMs). From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash (denial-of-service) and potentially remote code execution (RCE), exist…
- CVE-2025-62204HIGHCVSS 8.0EG 8.02025-11-11
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
- CVE-2025-62233MEDIUMCVSS 6.3EG 6.32026-04-24
Deserialization of Untrusted Data vulnerability in Apache DolphinScheduler RPC module. This issue affects Apache DolphinScheduler: Version >= 3.2.0 and < 3.3.1. Attackers who can access the Master or Worker nodes can compromise the sy…
- CVE-2025-62368CRITICALCVSS 9.0EG 9.02025-10-28
Taiga is an open source project management platform. In versions 6.8.3 and earlier, a remote code execution vulnerability exists in the Taiga API due to unsafe deserialization of untrusted data. This issue is fixed in version 6.9.0.
- CVE-2025-62373CRITICALCVSS 9.8EG 9.82026-04-23
Pipecat is an open-source Python framework for building real-time voice and multimodal conversational agents. Versions 0.0.41 through 0.0.93 have a vulnerability in `LivekitFrameSerializer` – an optional, non-default, undocumented frame …
- CVE-2025-62419HIGHCVSS 7.5EG 7.52025-10-17
DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC URL injection vulnerability exists in the DB2 and MongoDB data source configuration handlers. In the DB2 data source handler, when the ex…
- CVE-2025-62420HIGHCVSS 8.8EG 8.82025-10-17
DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts wi…
- CVE-2025-62515CRITICALCVSS 9.8EG 9.82025-10-17
pyquokka is a framework for making data lakes work for time series. In versions 0.3.1 and prior, the FlightServer class directly uses pickle.loads() to deserialize action bodies received from Flight clients without any sanitization or vali…
- CVE-2025-62703HIGHCVSS 8.8EG 8.82025-11-25
Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle…
- CVE-2025-6279MEDIUMCVSS 5.5EG 5.52025-06-19
A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/add_tool of the component Pickle Handler. The manipulation leads to deserializa…
- CVE-2025-63617MEDIUMCVSS 6.5EG 6.52025-11-10
ktg-mes before commit a484f96 (2025-07-03) has a fastjson deserialization vulnerability. This is because it uses a vulnerable version of fastjson and deserializes unsafe input data.
- CVE-2025-63675MEDIUMCVSS 6.9EG 6.92025-10-31
cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encryption.py.
- CVE-2025-63721HIGHCVSS 8.8EG 8.82025-12-08
HummerRisk thru v1.5.0 is using a vulnerable Snakeyaml component, allowing attackers with normal user privileges to hit the /rule/add API and thereby achieve RCE and take over the server.
- CVE-2025-63950HIGHCVSS 7.5EG 7.52025-12-18
An insecure deserialization vulnerability exists in the download.php script of the to3k Twittodon application through commit b1c58a7d1dc664b38deb486ca290779621342c0b (2023-02-28). The 'obj' parameter receives base64-encoded data that is pa…
- CVE-2025-63951HIGHCVSS 7.5EG 7.52025-12-18
An insecure deserialization vulnerability exists in the rss-mp3.php script of the MiczFlor RPi-Jukebox-RFID project through commit 4b2334f0ae0e87c0568876fc41c48c38aa9a7014 (2025-10-07). The 'rss' GET parameter receives data that is passed …
Map vulnerabilities like CWE-502 to your infrastructure
EchelonGraph correlates every CVE — across CWE-502 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →