CWE-502

Medium likelihood

Deserialization of Untrusted Data

Parent: CWE-913 - Improper Control of Dynamically-Managed Code Resources

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

2,741 vulnerabilities with CWE-502
CVE-2026-42211 HIGH
React Router 7.0.0-7.14.1 - Framework Mode Deserialization Remote Code Execution
CVSS 8.1
CVE-2026-34993 MEDIUM
AIOHTTP Vulnerable to Deserialization of Untrusted Data
CVSS 6.4
CVE-2026-24237 HIGH
Nvidia NVTabular - Deserialization of Untrusted Data
CVSS 7.8
CVE-2026-24221 HIGH
Nvidia NVTabular - Deserialization of Untrusted Data
CVSS 7.8
CVE-2026-39555 HIGH
WordPress Askka theme <= 1.3.1 - PHP Object Injection vulnerability
CVSS 8.1
CVE-2026-39551 HIGH
WordPress Töbel theme <= 1.8.1 - PHP Object Injection vulnerability
CVSS 8.1
CVE-2026-39550 HIGH
WordPress Aperitif theme <= 1.6 - PHP Object Injection vulnerability
CVSS 8.1
CVE-2026-10566 MEDIUM
FoundationAgents MetaGPT schema.py Message.check_instruct_content deserialization
CVSS 5.3
CVE-2026-9330 HIGH
IBM WebSphere Application Server 8.5 and 9.0 - Remote Code Execution via SAML Web SSO Deserialization
CVSS 8.5
CVE-2026-9319 CRITICAL
IBM WebSphere Application Server 8.5 and 9.0 - Remote Code Execution via JAX-WS Endpoint Deserialization
CVSS 9.0
CVE-2026-49121 HIGH
AI Tensor Engine for ROCm (AITER) <= 0.1.14 - Remote Code Execution via Pickle Deserialization
CVSS 8.1
CVE-2026-38950 HIGH
ESA AnomalyMatch < 1.3.1 - Remote Code Execution via Unsafe Model Checkpoint Deserialization
CVSS 7.8
CVE-2026-10532 LOW
Logback deserialization whitelist bypass for Proxy objects
CVE-2026-7858 CRITICAL
Dassault Teamwork Cloud and Magic Collaboration Studio - Deserialization RCE
CVSS 9.8
CVE-2026-45360 HIGH
Apache Airflow: Arbitrary import in custom deadline-reference deserialization
CVSS 7.3
CVE-2026-42359 HIGH
Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator
CVSS 8.8
CVE-2026-10042 CRITICAL
manga-image-translator RCE via Unsafe Pickle Deserialization in Share Model
CVSS 9.8
CVE-2026-9828 LOW
Logback deserialization whitelist bypass for java.lang and java.util
CVE-2026-37579 HIGH
SMSGate sms-core <= 2.1.13.6 - Remote Code Execution via Cmpp7FDeliverRequestMessageCodec
CVSS 7.3
CVE-2026-47161 HIGH
RELATE Vulnerable to Remote Code Execution (RCE) via Insecure Celery Pickle Deserialization
CVE-2026-45134 HIGH
LangSmith Client SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
CVSS 7.1
CVE-2026-48919 MEDIUM
Jenkins Active Directory Plugin < 2.41 - Deserialization of Untrusted Data
CVSS 6.6
CVE-2026-48917 MEDIUM
Jenkins LDAP Plugin < 807.v7d7de30930cf - Deserialization of Untrusted Data from LDAP Referrals
CVSS 6.6
CVE-2026-44843 HIGH
LangChain: Unsafe deserialization of attacker-controlled LangChain objects through overly broad `load()` allowlists
CVSS 8.2
CVE-2026-24162 HIGH
Nvidia Merlin Transformers4Rec - Deserialization of Untrusted Data
CVSS 7.8
Details
Vulnerabilities 2,741
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits