CVE Database - Insecure Deserialization

Browse known vulnerabilities with WAF coverage analysis. See which CVEs are detectable by Web Application Firewalls and their OWASP CRS rules.

2555
Matching CVEs
15853
Critical
26962
High
69389
High WAF Coverage
Severity: All Critical (15853) High (26962) Medium (41242) Low (855)
Attack: Authentication Bypass (3246) CSRF (7960) Code Injection (4249) Command Injection (3187) Cross-Site Scripting (XSS) (37475) HTTP Response Splitting (79) Incorrect Authorization (2764) Input Validation (8673) Insecure Deserialization (2555) Missing Authorization (7641) OS Command Injection (5400) Open Redirect (1432) Path Traversal (6855) Privilege Escalation (2590) Remote File Inclusion (1113) Resource Exhaustion (2791) SQL Injection (14737) SSRF (2370) Unrestricted File Upload (3980) XXE (1206)
Year: 1990 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2012 2014 2016 2017 2018 2019 2020 2021 2022 2023 2024 2025 2026
WAF: High (69389) Medium (23730) Low (23337)
Clear filter

CVE-2026-32510

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in Edge-Themes Kamperen kamperen allows Object Injection.This issue affects Kamperen: from n/a through < 1.3.

Insecure Deserialization
WAF: Medium

CVE-2026-32509

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in Edge-Themes Gracey gracey allows Object Injection.This issue affects Gracey: from n/a through < 1.4.

Insecure Deserialization
WAF: Medium

CVE-2026-32508

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in Mikado-Themes Halstein halstein allows Object Injection.This issue affects Halstein: from n/a through < 1.8.

Insecure Deserialization
WAF: Medium

CVE-2026-32507

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.This issue affects Leroux: from n/a through < 1.4.

Insecure Deserialization
WAF: Medium

CVE-2026-32506

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in Edge-Themes Archicon archicon allows Object Injection.This issue affects Archicon: from n/a through < 1.7.

Insecure Deserialization
WAF: Medium

CVE-2026-32502

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6.

Insecure Deserialization
WAF: Medium

CVE-2026-32484

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection.This issue affects weForms: from n/a through <= 1.6.26.

Insecure Deserialization
WAF: Medium

CVE-2026-27095

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Object Injection.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through <= 5.6.0.

Insecure Deserialization
WAF: Medium

CVE-2026-27084

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allows Object Injection.This issue affects Buisson: from n/a through <= 1.1.11.

Insecure Deserialization
WAF: Medium

CVE-2026-27083

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in ThemeREX Work & Travel Company work-travel-company allows Object Injection.This issue affects Work & Travel Company: from n/a through <= 1.2.

Insecure Deserialization
WAF: Medium

CVE-2026-27082

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through <= 1.3.12.

Insecure Deserialization
WAF: Medium

CVE-2026-27045

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2.

Insecure Deserialization
WAF: Medium

CVE-2026-25429

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in wpdive Nexa Blocks nexa-blocks allows Object Injection.This issue affects Nexa Blocks: from n/a through <= 1.1.1.

Insecure Deserialization
WAF: Medium

CVE-2026-25400

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.This issue affects Apicona: from n/a through <= 24.1.0.

Insecure Deserialization
WAF: Medium

CVE-2026-25360

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through < 1.2.9.

Insecure Deserialization
WAF: Medium

CVE-2026-25359

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection.This issue affects Pendulum: from n/a through < 3.1.5.

Insecure Deserialization
WAF: Medium

CVE-2026-25358

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through < 2.8.2.

Insecure Deserialization
WAF: Medium

CVE-2026-25032

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in park_of_ideas Ricky ricky allows Object Injection.This issue affects Ricky: from n/a through < 2.31.

Insecure Deserialization
WAF: Medium

CVE-2026-25031

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.This issue affects Tasty Daily: from n/a through < 1.27.

Insecure Deserialization
WAF: Medium

CVE-2026-25030

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in park_of_ideas Goldish goldish allows Object Injection.This issue affects Goldish: from n/a through < 3.47.

Insecure Deserialization
WAF: Medium

CVE-2026-25029

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in park_of_ideas KIDZ kidz allows Object Injection.This issue affects KIDZ: from n/a through <= 5.24.

Insecure Deserialization
WAF: Medium

CVE-2026-24989

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in FantasticPlugins SUMO Affiliates Pro affs allows Object Injection.This issue affects SUMO Affiliates Pro: from n/a through < 11.4.0.

Insecure Deserialization
WAF: Medium

CVE-2026-24981

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.This issue affects Visionary Core: from n/a through <= 1.4.9.

Insecure Deserialization
WAF: Medium

CVE-2026-24978

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in NooTheme Jobica Core jobica-core allows Object Injection.This issue affects Jobica Core: from n/a through <= 1.4.1.

Insecure Deserialization
WAF: Medium

CVE-2026-24976

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in NooTheme Organici Library noo-organici-library allows Object Injection.This issue affects Organici Library: from n/a through <= 2.1.2.

Insecure Deserialization
WAF: Medium

CVE-2026-24974

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in NooTheme CitiLights noo-citilights allows Object Injection.This issue affects CitiLights: from n/a through <= 3.7.1.

Insecure Deserialization
WAF: Medium

CVE-2026-24378

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Object Injection.This issue affects EventPrime: from n/a through <= 4.2.8.0.

Insecure Deserialization
WAF: Medium

CVE-2026-23971

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through <= 8.3.8.

Insecure Deserialization
WAF: Medium

CVE-2026-22510

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in AncoraThemes Melody melodyschool allows Object Injection.This issue affects Melody: from n/a through <= 1.6.3.

Insecure Deserialization
WAF: Medium

CVE-2026-22507

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in AncoraThemes Beelove beelove allows Object Injection.This issue affects Beelove: from n/a through <= 1.2.6.

Insecure Deserialization
WAF: Medium

CVE-2026-22505

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection.This issue affects Morning Records: from n/a through <= 1.2.

Insecure Deserialization
WAF: Medium

CVE-2026-22500

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2-ce allows Object Injection.This issue affects m2 | Construction and Tools Store: from n/a through <= 1.1.2.

Insecure Deserialization
WAF: Medium

CVE-2026-22480

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in WebToffee Product Feed for WooCommerce webtoffee-product-feed allows Object Injection.This issue affects Product Feed for WooCommerce: from n/a through <= 2.3.3.

Insecure Deserialization
WAF: Medium

CVE-2026-24159

CRITICAL
9.80 CVSS 3.1

NVIDIA NeMo Framework contains a vulnerability where an attacker may cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.

Insecure Deserialization
WAF: Medium

CVE-2026-24157

CRITICAL
9.80 CVSS 3.1

NVIDIA NeMo Framework contains a vulnerability in checkpoint loading where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure and data tampering.

Insecure Deserialization
WAF: Medium

CVE-2026-24152

HIGH
7.80 CVSS 3.1

NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.

Insecure Deserialization
WAF: Medium

CVE-2026-24151

HIGH
7.80 CVSS 3.1

NVIDIA Megatron-LM contains a vulnerability in inferencing where an Attacker may cause an RCE by convincing a user to load a maliciously crafted input. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.

Insecure Deserialization
WAF: Medium

CVE-2026-24150

HIGH
7.80 CVSS 3.1

NVIDIA Megatron-LM contains a vulnerability in checkpoint loading where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.

Insecure Deserialization
WAF: Medium

CVE-2026-24141

UNKNOWN
0.00 CVSS none

NVIDIA Model Optimizer for Windows and Linux contains a vulnerability in the ONNX quantization feature, where a user could cause unsafe deserialization by providing a specially crafted input file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, and information disclosure.

Insecure Deserialization
WAF: Medium

CVE-2025-33248

HIGH
7.80 CVSS 3.1

NVIDIA Megatron-LM contains a vulnerability in the hybrid conversion script where an Attacker may cause an RCE by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering.

Insecure Deserialization
WAF: Medium

CVE-2025-33247

HIGH
7.80 CVSS 3.1

NVIDIA Megatron LM contains a vulnerability in quantization configuration loading, which could allow remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

Insecure Deserialization
WAF: Medium

CVE-2025-33244

UNKNOWN
0.00 CVSS none

NVIDIA APEX for Linux contains a vulnerability where an unauthorized attacker could cause a deserialization of untrusted data. This vulnerability affects environments that use PyTorch versions earlier than 2.6. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, data tampering, and information disclosure.

Insecure Deserialization
WAF: Medium

CVE-2026-4735

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in DTStack chunjun (‎chunjun-core/src/main/java/com/dtstack/chunjun/util modules). This vulnerability is associated with program files GsonUtil.Java. This issue affects chunjun: before 1.16.1.

Insecure Deserialization
WAF: Medium

CVE-2026-4538

MEDIUM
5.30 CVSS 3.1

A vulnerability was identified in PyTorch 2.10.0. The affected element is an unknown function of the component pt2 Loading Handler. The manipulation leads to deserialization. The attack can only be performed from a local environment. The exploit is publicly available and might be used. The project was informed of the problem early through a pull request but has not reacted yet.

Improper Input Validation Insecure Deserialization
WAF: Medium

CVE-2026-0677

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite totalcontest-lite allows Object Injection.This issue affects TotalContest Lite: from n/a through <= 2.9.1.

Insecure Deserialization
WAF: Medium

CVE-2026-29109

HIGH
7.20 CVSS 3.1

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions up to and including 8.9.2 contain an unsafe deserialization vulnerability in the SavedSearch filter processing component that allows an authenticated administrator to execute arbitrary system commands on the server. `FilterDefinitionProvider.php` calls `unserialize()` on user-controlled data from the `saved_search.contents` database column without restricting instantiable classes. Version 8.9.3 patches the issue.

Insecure Deserialization
WAF: Medium

CVE-2025-71260

HIGH
8.80 CVSS 3.1

BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.

Insecure Deserialization
WAF: Medium

CVE-2026-25445

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in Membership Software WishList Member X allows Object Injection.This issue affects WishList Member X: from n/a through 3.29.0.

Insecure Deserialization
WAF: Medium

CVE-2025-60237

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object Injection.This issue affects Finag: from n/a through 1.5.0.

Insecure Deserialization
WAF: Medium

CVE-2025-60233

UNKNOWN
0.00 CVSS none

Deserialization of Untrusted Data vulnerability in Themeton Zuut allows Object Injection.This issue affects Zuut: from n/a through 1.4.2.

Insecure Deserialization
WAF: Medium
Page 2 of 52 (2555 CVEs)