CWE-502 (Deserialization of Untrusted Data) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Extended context from the CWE catalog (rendered from MITRE XHTML).
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | Java | — | Undetermined | — |
| language | Ruby | — | Undetermined | — |
| language | PHP | — | Undetermined | — |
| language | Python | — | Undetermined | — |
| language | JavaScript | — | Undetermined | — |
| technology | — | Not Technology-Specific | Undetermined | — |
| technology | — | ICS/OT | Often | — |
| technology | AI/ML | — | Often | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2025-71378 | 2026-06-21 | picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection … |
| CVE-2025-71357 | 2026-06-21 | picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods. Attackers can embed undetected code in pickle files that execute… |
| CVE-2025-71348 | 2026-06-21 | picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils._config_module.load_config function within reduce methods. Attackers can craft pickle files embedding arbitrary … |
| CVE-2026-12787 | 2026-06-21 | A vulnerability was found in zhilink 智互联(深圳)科技有限公司 ADP Application Developer Platform 应用开发者平台 1.0.0. This affects an unknown part of the component testConnection Endpoint. The manipulation of the argu… |
| CVE-2026-56304 | 2026-06-20 | picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to create arbitrary zero-byte files via logging.FileHandler class instantiation. Atta… |
| CVE-2026-48909 | 2026-06-20 | SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server. |
| CVE-2026-49286 | 2026-06-19 | PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, `pontedilana/php-weasyprint` guarded the output filename against the `phar://` stream wrapper… |
| CVE-2026-12046 | 2026-06-18 | Two state-mutating endpoints in pgAdmin 4's SQL Editor blueprint -- DELETE /sqleditor/close/<trans_id> and POST /sqleditor/initialize/sqleditor/update_connection/<sgid>/<sid>/<did> -- were the only ro… |
| CVE-2025-27511 | 2026-06-18 | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.27.0 of the GeoServer DB2 DataStore Extension, an administrator can perform a JNDI attack thr… |
| CVE-2026-8024 | 2026-06-18 | A remote, unauthenticated attacker may exploit a deserialization of untrusted data vulnerability in ibaPDA or ibaDatCoordinator to gain full access to the affected systems. |
| CVE-2026-12569 | 2026-06-17 | A critical remote code execution (RCE) vulnerability has been reported in PTC Windchill PDMlink and PTC FlexPLM. The vulnerability may be exploited through the deserialization of untrusted data. * … |
| CVE-2026-53805 | 2026-06-17 | NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an unauthenticated remote code execution vulnerability in the inference API server where the /request-inference and /seed-model endpoints deseria… |
| CVE-2026-53874 | 2026-06-17 | picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attack… |
| CVE-2025-71321 | 2026-06-17 | picklescan before 0.0.33 contains an arbitrary file writing vulnerability that allows attackers to bypass the dangerous blocklist by using distutils.file_util.write_file. Attackers can construct malic… |
| CVE-2026-49108 | 2026-06-17 | Unauthenticated PHP Object Injection in Moderno < 1.43 versions. |
| CVE-2026-40757 | 2026-06-17 | Unauthenticated PHP Object Injection in Château <= 1.2.1 versions. |
| CVE-2026-40756 | 2026-06-17 | Unauthenticated PHP Object Injection in Zoya <= 1.4 versions. |
| CVE-2026-40752 | 2026-06-17 | Unauthenticated PHP Object Injection in Manufaktur Solutions <= 1.1.1 versions. |
| CVE-2026-40738 | 2026-06-17 | Unauthenticated PHP Object Injection in Eldon <= 1.4.1 versions. |
| CVE-2026-40733 | 2026-06-17 | Unauthenticated PHP Object Injection in ShiftUp <= 1.3 versions. |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Common_Consequences, Description, Relationships, Other_Notes, Taxonomy_Mappings |
| 2009-10-29 | CWE Content Team | 1.6 | — | updated Description, Other_Notes, Potential_Mitigations |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences, Relationships, Taxonomy_Mappings |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships, Taxonomy_Mappings |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Demonstrative_Examples |
| 2013-02-21 | CWE Content Team | 2.4 | — | updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2015-12-07 | CWE Content Team | 2.9 | — | updated Observed_Examples, References, Relationships |
| 2017-05-03 | CWE Content Team | 2.11 | — | updated Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Modes_of_Introduction, Potential_Mitigations, References, Relationships |
| 2018-03-27 | CWE Content Team | 3.1 | — | updated Relationships |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Type |
| 2019-09-19 | CWE Content Team | 3.4 | — | updated Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Observed_Examples, References, Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Alternate_Terms, Potential_Mitigations |
| 2020-08-20 | CWE Content Team | 4.2 | — | updated Relationships |
| 2020-12-10 | CWE Content Team | 4.3 | — | updated Relationships |
| 2021-07-20 | CWE Content Team | 4.5 | — | updated Relationships |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2022-06-28 | CWE Content Team | 4.8 | — | updated Relationships |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated Applicable_Platforms |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, References, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes, Relationships |
| 2024-11-19 | CWE Content Team | 4.16 | — | updated Common_Consequences, Description, Diagram, Potential_Mitigations, Relationships |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated Observed_Examples, Potential_Mitigations, References |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Observed_Examples, Relationships, Weakness_Ordinalities |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Alternate_Terms, Relationships |
| Type | Name | Date | Comment |
|---|---|---|---|
| Content | Abhi Balakrishnan | 2024-02-29 | Contributed usability diagram concepts used by the CWE team |