CWE-502

Medium likelihood

Deserialization of Untrusted Data

Parent: CWE-913 - Improper Control of Dynamically-Managed Code Resources

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

2,593 vulnerabilities with CWE-502
CVE-2026-40901 HIGH
DataEase: Quartz Deserialization → Remote Code Execution
CVSS 8.8
CVE-2026-5426 HIGH
KnowledgeDeliver deployments before February 24, 2026 use a static ASP.NET/IIS machineKey value
CVSS 7.5
CVE-2026-34615 CRITICAL
Adobe Connect | Deserialization of Untrusted Data (CWE-502)
CVSS 9.3
CVE-2026-32192 HIGH
Azure Monitor Agent Elevation of Privilege Vulnerability
CVSS 7.8
CVE-2026-32184 HIGH
Microsoft High Performance Compute (HPC) Pack Elevation of Privilege Vulnerability
CVSS 7.8
CVE-2026-27303 CRITICAL
Adobe Connect | Deserialization of Untrusted Data (CWE-502)
CVSS 9.6
CVE-2026-3017 HIGH
Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts <= 3.0.12 - Authenticated (Administrator+) PHP Object Injection
CVSS 7.2
CVE-2026-40044 CRITICAL
Pachno 1.0.6 FileCache Deserialization Remote Code Execution
CVSS 9.8
CVE-2026-33858 HIGH
Apache Airflow: Unsafe Deserialization via Legacy Serialization Keys (__type/__var) Bypass in XCom API
CVSS 8.8
CVE-2026-1462 HIGH
Safe Mode Bypass in keras-team/keras
CVSS 8.8
CVE-2026-35337 HIGH
Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling
CVSS 8.8
CVE-2026-25204 MEDIUM
Samsung Open Source Escargot - Denial of Service
CVSS 6.2
CVE-2026-5507 MEDIUM
Session Cache Restore — Arbitrary Free via Deserialized Pointer
CVSS 4.0
CVE-2026-3199 CRITICAL
Nexus Repository 3 - Authenticated Remote Code Execution via Task Property Injection
CVE-2026-39890 CRITICAL
PraisonAI Affected by Remote Code Execution via YAML Deserialization in Agent Definition Loading
CVSS 9.8
CVE-2026-23869 HIGH
Meta React-server-dom-turbopack < 19.0.4 - Denial of Service
CVSS 7.5
CVE-2026-32590 HIGH
Mirror-registry: remote code execution using pickle deserialization
CVSS 7.1
CVE-2026-3296 CRITICAL
Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata
CVSS 9.8
CVE-2026-3357 HIGH
IBM Langflow Desktop FAISS Vector Store Remote Code Execution via malicious Pickle file
CVSS 8.8
CVE-2026-33439 CRITICAL
Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM
CVSS 9.8
CVE-2026-39324 CRITICAL
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
CVSS 9.8
CVE-2026-24156 HIGH
NVIDIA DALI <2.0 - Deserialization
CVSS 7.3
CVE-2026-35464 HIGH
pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution
CVSS 7.5
CVE-2026-1839 HIGH
Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers
CVSS 7.8
CVE-2026-35171 CRITICAL
Arbitrary Code Execution via Malicious Logging Configuration in Kedro
CVSS 9.8
Details
Vulnerabilities 2,593
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits