Cwe 502

🧬 CWE Related 70
slug: cwe-502

Explanation

CWE-502は「シリアライズされたデータ (オブジェクトをバイト列に変換したもの) を信頼せずに復元 (デシリアライズ) してしまう」欠陥です。 Java・Python・PHP・.NETなどで、攻撃者が細工したオブジェクトを送ると任意コード実行されてしまうため、Webサーバー乗っ取りの典型ルートです。
📌 Example
CVE-2017-9805 (Apache Struts2 REST Plugin): XMLデシリアライズによるRCEで、Equifax事件 (1.4億人個人情報流出) の直接原因となった。

🔖 Related tags

🛡 Vulnerabilities tagged with this 494

ID Title
CVE-2024-53326 Unsafe Deserialization in deserialization (CVE-2024-53326)
CVE-2022-21549 Unsafe Deserialization in java (CVE-2022-21549)
CVE-2022-21341 Unsafe Deserialization in java (CVE-2022-21341)
CVE-2026-34084 Unsafe Deserialization in phpoffice/phpspreadsheet (CVE-2026-34084)
CVE-2026-42027 Vulnerability in org.apache.opennlp:opennlp-tools (CVE-2026-42027)
CVE-2026-37552 Unsafe Deserialization in deserialization (CVE-2026-37552)
CVE-2025-60889 Unsafe Deserialization in deserialization (CVE-2025-60889)
CVE-2025-60887 Unsafe Deserialization in deserialization (CVE-2025-60887)
CVE-2026-27172 Unsafe Deserialization in apache (CVE-2026-27172)
CVE-2026-40858 Unsafe Deserialization in apache (CVE-2026-40858)
CVE-2026-33454 Unsafe Deserialization in apache (CVE-2026-33454)
CVE-2026-40860 Unsafe Deserialization in apache (CVE-2026-40860)
CVE-2026-40048 Unsafe Deserialization in apache (CVE-2026-40048)
CVE-2026-40473 Unsafe Deserialization in apache (CVE-2026-40473)
CVE-2026-41316 Vulnerability in erb (CVE-2026-41316)
CVE-2026-6857 Unsafe Deserialization in org.apache.camel:camel-infinispan (CVE-2026-6857)
CVE-2026-22016 Information Disclosure in c (CVE-2026-22016)
CVE-2026-5426 Vulnerability in csharp (CVE-2026-5426)
CVE-2026-1462 Unsafe Deserialization in keras (CVE-2026-1462)
CVE-2026-25204 Unsafe Deserialization in dos (CVE-2026-25204)
CVE-2023-21529 KEV [KEV] Unsafe Deserialization in Microsoft exchange-server (CVE-2023-21529)
CVE-2026-23869 Vulnerability in react (CVE-2026-23869)
CVE-2026-32590 Unsafe Deserialization in redhat (CVE-2026-32590)
CVE-2026-34877 Vulnerability in arm (CVE-2026-34877)
CVE-2026-33728 Unsafe Deserialization in com.datadoghq:dd-java-agent (CVE-2026-33728)
CVE-2026-33701 Unsafe Deserialization in linuxfoundation (CVE-2026-33701)
CVE-2026-0677 Unsafe Deserialization in deserialization (CVE-2026-0677)
CVE-2026-20131 KEV [KEV] Unsafe Deserialization in Cisco secure-firewall-management-center-fmc (CVE-2026-20131)
CVE-2026-20963 KEV [KEV] Unsafe Deserialization in Microsoft sharepoint (CVE-2026-20963)
CVE-2025-13913 Unsafe Deserialization in inductiveautomation (CVE-2025-13913)

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →