CWE-502

Medium likelihood

Deserialization of Untrusted Data

Parent: CWE-913 - Improper Control of Dynamically-Managed Code Resources

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

2,741 vulnerabilities with CWE-502
CVE-2026-11860 HIGH
Insecure Deserialisation via Plaintext HTTP leading to Remote Code Execution in Quick.CMS
CVE-2026-12191 HIGH
Comma AI Openpilot Pickle modeld.py pickle.loads deserialization
CVSS 7.8
CVE-2026-41699 HIGH
Unsafe Deserialization in Spring GraphQL
CVSS 8.1
CVE-2026-20251 HIGH
Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway
CVSS 8.8
CVE-2026-53435 HIGH
Jenkins - Deserialization of Untrusted Data
CVSS 8.8
CVE-2026-52751 HIGH
Ghidra < 12.1 - Remote Code Execution via Unfiltered RMI Deserialization in Shared Project Connection
CVSS 8.8
CVE-2026-10721 HIGH
Concrete CMS < 9.5.2 - PHP Object Injection via unserialize()
CVE-2026-11815 MEDIUM
Insecure Deserialization via MITM in Layer 7 Policy Manager
CVE-2026-41732 HIGH
In Spring for Apache Pulsar, overly broad trusted-package matching in header mapper exposes JDK classes to deserialization
CVSS 8.1
CVE-2026-41731 HIGH
In Spring for Apache Kafka, overly broad trusted-package matching in header mappers exposes JDK classes to deserialization
CVSS 8.1
CVE-2026-40993 HIGH
Unfiltered Java Native Deserialization of SAML 2.0 Asserting Party Credentials BLOB Database Entry
CVSS 7.3
CVE-2026-44963 CRITICAL
Veeam Backup And Replication < 12.3.2 - Deserialization of Untrusted Data
CVE-2026-48560 MEDIUM
Microsoft SharePoint Server Spoofing Vulnerability
CVSS 5.4
CVE-2026-45484 HIGH
Microsoft SharePoint Elevation of Privilege Vulnerability
CVSS 8.8
CVE-2026-26142 CRITICAL
Nuance PowerScribe Remote Code Execution Vulnerability
CVSS 9.8
CVE-2026-49740 MEDIUM
TYPO3 CMS - Insecure Deserialization in Core API
CVE-2026-8365 HIGH
Blocksy <= 2.1.41 - Authenticated (Contributor+) PHP Object Injection via Deserialization of Untrusted Data via 'blocksy_meta' REST API Field
CVSS 8.8
CVE-2026-41855 HIGH
Spring Framework Unsafe Deserialization via Jackson JMS Converters
CVSS 8.1
CVE-2026-7566 MEDIUM
LearnPress – Backup & Migration Tool <= 4.1.4 - Authenticated (Administrator+) PHP Object Injection via WXR XML File Upload
CVSS 6.6
CVE-2026-7654 HIGH
Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value
CVSS 8.8
CVE-2026-25551 HIGH
Seagull Software BarTender Deserialization Privilege Escalation via .NET Remoting Service
CVSS 7.8
CVE-2026-25550 CRITICAL
Seagull Software BarTender Unauthenticated RCE via .NET Remoting Service
CVSS 9.8
CVE-2026-50076 CRITICAL
Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass
CVSS 9.1
CVE-2026-7888 HIGH
Concrete CMS < 9.5.2 - PHP Object Injection
CVE-2026-47065 CRITICAL
Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232
CVSS 9.8
Details
Vulnerabilities 2,741
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits