Insecure Deserialization

CVE-2026-20131 is a critical remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) Software, classified as insecure deserializati…

SolarWinds Web Help Desk contains a critical untrusted data deserialization vulnerability (CWE-502) that allows remote code execution without authentication. Th…

CVE-2025-59287 is a critical vulnerability in Microsoft Windows Server Update Service (WSUS) involving the deserialization of untrusted data, classified under C…

CVE-2025-10035 is a critical deserialization vulnerability in Fortra's GoAnywhere MFT License Servlet, allowing command injection via forged license response si…

CVE-2025-53690 is a critical deserialization vulnerability (CWE-502) in Sitecore Experience Manager (XM) and Experience Platform (XP) versions through 9.0, allo…

CVE-2025-8875 is a deserialization of untrusted data vulnerability (CWE-502) in N-able N-central versions prior to 2025.3.1, allowing local code execution. The …

CVE-2025-53770 is a critical deserialization vulnerability (CWE-502) in on-premises Microsoft SharePoint Server that allows unauthorized remote code execution o…

CVE-2026-20963 is a critical deserialization vulnerability (CWE-502) in Microsoft Office SharePoint that allows unauthorized remote code execution over a networ…

CVE-2025-24016 is a critical remote code execution vulnerability in Wazuh Server versions 4.4.0 through 4.9.1 caused by unsafe deserialization of DistributedAPI…

CVE-2025-42999 is a critical deserialization vulnerability (CWE-502) in SAP NetWeaver Visual Composer Metadata Uploader, allowing privileged users to upload mal…

CVE-2025-30406 is a critical deserialization vulnerability in Gladinet CentreStack versions through 16.1.10296.56315, caused by a hardcoded machineKey that allo…

CVE-2019-9875 is a high-severity deserialization vulnerability (CWE-502) in the anti-CSRF module of Sitecore CMS and Experience Platform through version 9.1. It…

CVE-2019-9874 is a critical deserialization vulnerability (CWE-502) in Sitecore CMS versions 7.0-7.2 and Sitecore XP versions 7.5-8.2, allowing unauthenticated …

CVE-2024-20953 is a high-severity vulnerability (CVSS 8.8) in Oracle Agile PLM version 9.3.6 affecting the Export component. It allows a low-privileged attacker…

CVE-2017-3066 is a critical Java deserialization vulnerability (CWE-502) in the Apache BlazeDS library affecting Adobe ColdFusion 2016 Update 3 and earlier, Col…

CVE-2025-0994 is a deserialization vulnerability in Trimble Cityworks versions prior to 15.8.9 and Cityworks with Office Companion prior to 23.10, allowing auth…

CVE-2025-23006 is a critical remote code execution vulnerability in SonicWall SMA1000 Appliances affecting the Appliance Management Console and Central Manageme…

CVE-2024-40711 is a critical deserialization vulnerability in Veeam Backup & Replication that allows unauthenticated remote code execution via malicious payload…

CVE-2019-0344 is a critical deserialization vulnerability (CWE-502) in SAP Commerce Cloud versions 6.4 through 1905, allowing arbitrary code execution with Hybr…

SolarWinds Web Help Desk contains a Java Deserialization vulnerability (CWE-502) that allows for Remote Code Execution. Although initially reported as unauthent…

CVE-2023-29300 is a critical deserialization vulnerability in Adobe ColdFusion versions 2018u16 and earlier, 2021u6 and earlier, and 2023.0.0.330468 and earlier…

Adobe ColdFusion versions 2018u17 and earlier, 2021u7 and earlier, and 2023u1 and earlier contain a critical deserialization of untrusted data vulnerability (CW…

CVE-2023-40044 is a critical remote code execution vulnerability in WS_FTP Server versions prior to 8.7.4 and 8.8.2, caused by insecure .NET deserialization in …

Adobe ColdFusion versions 2018 Update 15 and earlier, as well as 2021 Update 5 and earlier, contain a critical deserialization of untrusted data vulnerability (…

CVE-2021-39144 is a vulnerability in XStream that has been added to CISA's Known Exploited Vulnerabilities catalog as of March 10, 2023, with a federal remediat…

CVE-2020-5741 is a high-severity deserialization vulnerability (CWE-502) in Plex Media Server on Windows, allowing remote authenticated attackers to execute arb…

IBM Aspera Faspex versions 4.4.2 Patch Level 1 and earlier are vulnerable to a critical remote code execution flaw due to insecure YAML deserialization (CWE-502…

CVE-2021-31010 is a deserialization vulnerability (CWE-502) affecting Apple iOS, macOS, and watchOS, allowing a sandboxed process to circumvent sandbox restrict…

CVE-2021-27852 is a critical deserialization vulnerability (CWE-502) in Checkbox Survey versions prior to 7, allowing unauthenticated remote code execution via …

CVE-2021-42237 is a critical insecure deserialization vulnerability (CWE-502) affecting Sitecore XP versions 7.5 Initial Release through 8.2 Update-7, allowing …

CVE-2018-0147 is a critical remote code execution vulnerability in Cisco Secure Access Control System (ACS) prior to release 5.8 patch 9, caused by insecure des…

CVE-2020-2555 is a critical vulnerability in Oracle Coherence affecting versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0, classified under CWE-502 (Dese…

CVE-2015-4852 is a critical remote code execution vulnerability in Oracle WebLogic Server versions 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0, caused by insecur…

CVE-2019-18935 is a critical deserialization vulnerability in Progress Telerik UI for ASP.NET AJAX through version 2019.3.1023 that allows remote code execution…

CVE-2025-49113 is a critical remote code execution vulnerability in Roundcube Webmail versions before 1.5.10 and 1.6.x before 1.6.11, classified as CWE-502 (Des…

HestiaCP versions 1.9.0 through 1.9.4 contain a critical deserialization vulnerability (CWE-502) in the web terminal component. The issue stems from a session f…

CVE-2026-48207 is a critical deserialization vulnerability in Apache Fory PyFory versions prior to 1.0.0, classified under CWE-502. It allows attackers to bypas…

CVE-2026-7637 is a critical PHP Object Injection vulnerability in the Boost WordPress plugin versions up to and including 2.0.3, caused by deserialization of un…

NVIDIA Transformers4Rec for Linux contains a vulnerability involving improper deserialization of untrusted data, classified under CWE-502. This flaw allows an a…

AutoGPT versions 0.6.34 through 0.6.51 are vulnerable to remote code execution due to insecure deserialization of Redis cache data using pickle.loads without in…

NVIDIA TRT-LLM for any platform contains a vulnerability in RPC testing involving unsafe deserialization (CWE-502). This flaw allows an attacker to potentially …

NVIDIA TRT-LLM contains a vulnerability in its MPI server component that allows for unsafe deserialization, classified under CWE-502. This flaw enables attacker…

CVE-2026-9521 is a high-severity vulnerability in fraillt bitsery versions up to 5.2.4, specifically affecting the loadFromSharedState function in include/bitse…

CVE-2026-4137 is a high-severity vulnerability in mlflow versions prior to 3.11.0 involving insecure temporary directory permissions (CWE-378). The flaw allows …

CVE-2026-1235 is a medium severity vulnerability (CVSS 6.5) in the WP eCommerce WordPress plugin through version 3.15.1. It involves CWE-502 improper restrictio…

CVE-2026-35537 is a low severity vulnerability (CVSS 3.7) affecting Roundcube Webmail versions prior to 1.5.14 and 1.6.14. The issue stems from unsafe deseriali…

CVE-2022-1471 is a high severity vulnerability in SnakeYaml with a CVSS score of 8.3, caused by the Constructor class not restricting types during deserializati…