CWE-502

Medium likelihood

Deserialization of Untrusted Data

Parent: CWE-913 - Improper Control of Dynamically-Managed Code Resources

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

2,741 vulnerabilities with CWE-502
CVE-2026-35337 HIGH
Apache Storm Client: RCE through Unsafe Deserialization via Kerberos TGT Credential Handling
CVSS 8.8
CVE-2026-25204 MEDIUM
Samsung Open Source Escargot - Denial of Service via Deserialization of Untrusted Data
CVSS 6.2
CVE-2026-5507 MEDIUM
Session Cache Restore — Arbitrary Free via Deserialized Pointer
CVSS 4.0
CVE-2026-3199 CRITICAL
Nexus Repository 3 - Authenticated Remote Code Execution via Task Property Injection
CVE-2026-39890 CRITICAL
PraisonAI Affected by Remote Code Execution via YAML Deserialization in Agent Definition Loading
CVSS 9.8
CVE-2026-23869 HIGH
React Server Components 19.0.0-19.0.4 19.1.0-19.1.5 19.2.0-19.2.4 - Denial of Service via Crafted HTTP Requests
CVSS 7.5
CVE-2026-32590 HIGH
Mirror-registry: remote code execution using pickle deserialization
CVSS 7.1
CVE-2026-3296 CRITICAL
Everest Forms <= 3.4.3 - Unauthenticated PHP Object Injection via Form Entry Metadata
CVSS 9.8
CVE-2026-3357 HIGH
IBM Langflow Desktop FAISS Vector Store Remote Code Execution via malicious Pickle file
CVSS 8.8
CVE-2026-33439 CRITICAL
Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM
CVSS 9.8
CVE-2026-39324 CRITICAL
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
CVSS 9.8
CVE-2026-24156 HIGH
NVIDIA DALI < 2.0 - Remote Code Execution via Untrusted Data Deserialization
CVSS 7.3
CVE-2026-35464 HIGH
pyLoad <=0.5.0b3.dev96 - Flask Session Store Code Execution
CVSS 7.5
CVE-2026-1839 HIGH
Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers
CVSS 7.8
CVE-2026-35171 CRITICAL
Arbitrary Code Execution via Malicious Logging Configuration in Kedro
CVSS 9.8
CVE-2026-5659 MEDIUM
pytries datrie trie File datrie.pyx Trie.__setstate__ deserialization
CVSS 6.3
CVE-2026-5536 HIGH
FedML-AI FedML gRPC server grpc_server.py sendMessage deserialization
CVSS 7.3
CVE-2026-5473 MEDIUM
NASA cFS Pickle pickle.load deserialization
CVSS 4.5
CVE-2026-35537 LOW
Roundcube Webmail <1.5.14 - Deserialization
CVSS 3.7
CVE-2026-34838 CRITICAL
Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection`
CVSS 9.9
CVE-2026-34877 CRITICAL
Mbed TLS 2.19.0-3.6.5, 4.0.0 - Memory Corruption
CVSS 9.8
CVE-2026-29782 HIGH
OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2
CVSS 7.2
CVE-2026-24165 HIGH
NVIDIA BioNeMo Framework - Deserialization of Untrusted Data
CVSS 7.8
CVE-2026-24164 HIGH
NVIDIA BioNeMo Framework - Deserialization of Untrusted Data
CVSS 8.8
CVE-2026-34202 HIGH
Zebra node crash — V5 transaction hash panic (P2P reachable)
CVSS 7.5
Details
Vulnerabilities 2,741
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits