CWE-502(Deserialization of Untrusted Data)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE カタログからの補足説明(MITRE XHTML を基に表示)。
| 種別 | 名称 | クラス | 普遍性 | OS / CPE |
|---|---|---|---|---|
| language | Java | — | Undetermined | — |
| language | Ruby | — | Undetermined | — |
| language | PHP | — | Undetermined | — |
| language | Python | — | Undetermined | — |
| language | JavaScript | — | Undetermined | — |
| technology | — | Not Technology-Specific | Undetermined | — |
| technology | — | ICS/OT | Often | — |
| technology | AI/ML | — | Often | — |
これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。
| CVE | 公開 | 概要 |
|---|---|---|
| CVE-2026-41699 | 2026-06-11 | Spring for GraphQL applications are vulnerable to Unsafe Deserialization when processing paginated GraphQL queries. An attacker can craft a malicious GraphQL request that can lead to Remote Code Execu… |
| CVE-2026-20251 | 2026-06-10 | In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versi… |
| CVE-2026-53435 | 2026-06-10 | In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled `config.x… |
| CVE-2026-52751 | 2026-06-10 | Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious… |
| CVE-2026-10721 | 2026-06-10 | Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object… |
| CVE-2026-11815 | 2026-06-10 | An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deserialize arbitrary objects. This vulnerability could lead to broken s… |
| CVE-2026-41732 | 2026-06-10 | JsonPulsarHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its subpackages. Additionally, an empty trusted-p… |
| CVE-2026-41731 | 2026-06-10 | JsonKafkaHeaderMapper and the deprecated DefaultKafkaHeaderMapper matched type headers against trusted packages using a prefix check, meaning that trusting any package implicitly trusted all of its su… |
| CVE-2026-40993 | 2026-06-10 | An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the colu… |
| CVE-2026-44963 | 2026-06-09 | A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user. |
| CVE-2026-48560 | 2026-06-09 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. |
| CVE-2026-45484 | 2026-06-09 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network. |
| CVE-2026-26142 | 2026-06-09 | Deserialization of untrusted data in Nuance PowerScribe allows an unauthorized attacker to execute code over a network. |
| CVE-2026-49740 | 2026-06-09 | TYPO3's cache frontend (VariableFrontend) and persistent key-value store (Registry) deserialized PHP payloads without integrity validation or class restrictions. An attacker with write access to the u… |
| CVE-2026-8365 | 2026-06-09 | The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and inclu… |
| CVE-2026-41855 | 2026-06-09 | In an untrusted JMS environment, org.springframework.jms.support.converter.MappingJackson2MessageConverter and org.springframework.jms.support.converter.JacksonJsonMessageConverter allow arbitrary cla… |
| CVE-2026-7566 | 2026-06-06 | The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input . This makes it p… |
| CVE-2026-7654 | 2026-06-05 | The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without … |
| CVE-2026-25551 | 2026-06-04 | Seagull Software BarTender 2021 R1 through 12.0.1 contains an insecure deserialization vulnerability that allows low-privileged local users to escalate privileges. The DataServiceSingleton .NET Remoti… |
| CVE-2026-25550 | 2026-06-04 | Seagull Software BarTender 2010, 2016, and 2019 contain an unauthenticated remote code execution vulnerability in the .NET Remoting service exposed on TCP port 7375 via BtSystem.Service.exe. The servi… |
| 日付 | 名称 | バージョン | 重要度 | コメント |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Common_Consequences, Description, Relationships, Other_Notes, Taxonomy_Mappings |
| 2009-10-29 | CWE Content Team | 1.6 | — | updated Description, Other_Notes, Potential_Mitigations |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences, Relationships, Taxonomy_Mappings |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships, Taxonomy_Mappings |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Demonstrative_Examples |
| 2013-02-21 | CWE Content Team | 2.4 | — | updated Alternate_Terms, Applicable_Platforms, Background_Details, Common_Consequences, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2015-12-07 | CWE Content Team | 2.9 | — | updated Observed_Examples, References, Relationships |
| 2017-05-03 | CWE Content Team | 2.11 | — | updated Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, References |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Modes_of_Introduction, Potential_Mitigations, References, Relationships |
| 2018-03-27 | CWE Content Team | 3.1 | — | updated Relationships |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Related_Attack_Patterns, Relationships, Taxonomy_Mappings |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Type |
| 2019-09-19 | CWE Content Team | 3.4 | — | updated Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Observed_Examples, References, Relationships |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Alternate_Terms, Potential_Mitigations |
| 2020-08-20 | CWE Content Team | 4.2 | — | updated Relationships |
| 2020-12-10 | CWE Content Team | 4.3 | — | updated Relationships |
| 2021-07-20 | CWE Content Team | 4.5 | — | updated Relationships |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2022-06-28 | CWE Content Team | 4.8 | — | updated Relationships |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated Applicable_Platforms |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, References, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes, Relationships |
| 2024-11-19 | CWE Content Team | 4.16 | — | updated Common_Consequences, Description, Diagram, Potential_Mitigations, Relationships |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated Observed_Examples, Potential_Mitigations, References |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Observed_Examples, Relationships, Weakness_Ordinalities |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Alternate_Terms, Relationships |
| タイプ | 名称 | 日付 | コメント |
|---|---|---|---|
| Content | Abhi Balakrishnan | 2024-02-29 | Contributed usability diagram concepts used by the CWE team |