CWE-502: Deserialization of Untrusted Data — known CVE vulnerabilities
CVEs classified under CWE-502 (Deserialization of Untrusted Data), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-41104 — CVSS 10.0 (critical): Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a…
CVE-2026-43633 — CVSS 10.0 (critical): HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format…
CVE-2026-33819 — CVSS 10.0 (critical): Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
CVE-2026-25632 — CVSS 10.0 (critical): EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks…
CVE-2025-14931 — CVSS 10.0 (critical): Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability…
CVE-2025-10363: Deserialization of Untrusted Data vulnerability in Topal Solutions AG Topal Finanzbuchhaltung on Windows allows Remote Code Execution.This…
CVE-2025-58384 — CVSS 10.0 (critical): In DOXENSE WATCHDOC before 6.1.1.5332, Deserialization of Untrusted Data can lead to remote code execution through the .NET Remoting…
CVE-2025-42944 — CVSS 10.0 (critical): Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by…
CVE-2024-13980: H3C Intelligent Management Center (IMC) versions up to and including E0632H07 contains a remote command execution vulnerability in the…
CVE-2025-34153: Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via…
CVE-2025-34067: An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management…
CVE-2025-30012 — CVSS 10.0 (critical): The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component, which allows an…
CVE-2025-32444 — CVSS 10.0 (critical): vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.6.5 and prior to 0.8.5…
CVE-2024-44102 — CVSS 10.0 (critical): A vulnerability has been identified in PP TeleControl Server Basic 1000 to 5000 V3.1 (6NH9910-0AA31-0AE1) (All versions < V3.1.2.1 with…
CVE-2024-5932 — CVSS 10.0 (critical): The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to…
CVE-2024-37099 — CVSS 10.0 (critical): Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.This issue affects GiveWP: from n/a through…
CVE-2024-5675 — CVSS 10.0 (critical): Untrusted data deserialization vulnerability has been found in Mentor - Employee Portal, affecting version 3.83.35. This vulnerability…
CVE-2024-30225 — CVSS 10.0 (critical): Deserialization of Untrusted Data vulnerability in WPENGINE, INC. WP Migrate.This issue affects WP Migrate: from n/a through 2.6.10.
CVE-2024-30224 — CVSS 10.0 (critical): Deserialization of Untrusted Data vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.2.
CVE-2024-1651 — CVSS 10.0 (critical): Torrentpier version 2.4.1 allows executing arbitrary commands on the server. This is possible because the application is vulnerable to…
CVE-2024-25100 — CVSS 10.0 (critical): Deserialization of Untrusted Data vulnerability in WP Swings Coupon Referral Program allows Object Injection.This issue affects Coupon…
CVE-2023-52225 — CVSS 10.0 (critical): Deserialization of Untrusted Data vulnerability in Tagbox Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics.This…
CVE-2023-52218 — CVSS 10.0 (critical): Deserialization of Untrusted Data vulnerability in Anton Bond Woocommerce Tranzila Payment Gateway.This issue affects Woocommerce Tranzila…
CVE-2023-52181 — CVSS 10.0 (critical): Deserialization of Untrusted Data vulnerability in Presslabs Theme per user.This issue affects Theme per user: from n/a through 1.0.1.
CVE-2023-51505 — CVSS 10.0 (critical): Deserialization of Untrusted Data vulnerability in realmag777 Active Products Tables for WooCommerce. Professional products tables for…
CVE-2023-49778 — CVSS 10.0 (critical): Deserialization of Untrusted Data vulnerability in Hakan Demiray Sayfa Sayac.This issue affects Sayfa Sayac: from n/a through 2.6.
CVE-2023-49773 — CVSS 10.0 (critical): Deserialization of Untrusted Data vulnerability in Tim Brattberg BCorp Shortcodes.This issue affects BCorp Shortcodes: from n/a through…
CVE-2023-49772 — CVSS 10.0 (critical): Deserialization of Untrusted Data vulnerability in Phpbits Creative Studio Genesis Simple Love.This issue affects Genesis Simple Love: from…
CVE-2022-41875 — CVSS 10.0 (critical): A remote code execution (RCE) vulnerability in Optica allows unauthenticated attackers to execute arbitrary code via specially crafted JSON…
CVE-2022-38650 — CVSS 10.0 (critical): A remote unauthenticated insecure deserialization vulnerability exists in VMware Hyperic Server 5.8.6. Exploitation of this vulnerability…
CVE-2021-27470 — CVSS 10.0 (critical): A deserialization vulnerability exists in how the LogService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier…
CVE-2021-27466 — CVSS 10.0 (critical): A deserialization vulnerability exists in how the ArchiveService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and…
CVE-2021-27462 — CVSS 10.0 (critical): A deserialization vulnerability exists in how the AosService.rem service in Rockwell Automation FactoryTalk AssetCentre v10.00 and earlier…
CVE-2019-19810 — CVSS 10.0 (critical): Zoom Call Recording 6.3.1 from Eleveo is vulnerable to Java Deserialization attacks targeting the inbuilt RMI service. A remote…
CVE-2021-37181 — CVSS 10.0 (critical): A vulnerability has been identified in Cerberus DMS V4.0 (All versions), Cerberus DMS V4.1 (All versions), Cerberus DMS V4.2 (All…
CVE-2021-21242 — CVSS 10.0 (critical): OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth…
CVE-2021-21243 — CVSS 10.0 (critical): OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, a Kubernetes REST endpoint exposes two methods that deserialize…
CVE-2020-15188 — CVSS 10.0 (critical): SOY CMS 3.0.2.327 and earlier is affected by Unauthenticated Remote Code Execution (RCE). The allows remote attackers to execute any…
CVE-2020-6770 — CVSS 10.0 (critical): Deserialization of Untrusted Data in the BVMS Mobile Video Service (BVMS MVS) allows an unauthenticated remote attacker to execute…
CVE-2019-18580 — CVSS 10.0 (critical): Dell EMC Storage Monitoring and Reporting version 4.3.1 contains a Java RMI Deserialization of Untrusted Data vulnerability. A remote…
CVE-2026-46386 — CVSS 9.9 (critical): OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV…
CVE-2026-34838 — CVSS 9.9 (critical): Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.156, 25.0.90, and 26.0.12, a…
CVE-2024-37361 — CVSS 9.9 (critical): The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. (CWE-502) Hitachi Vantara…