Cwe 502

🧬 CWE Related 70
slug: cwe-502

Explanation

CWE-502は「シリアライズされたデータ (オブジェクトをバイト列に変換したもの) を信頼せずに復元 (デシリアライズ) してしまう」欠陥です。 Java・Python・PHP・.NETなどで、攻撃者が細工したオブジェクトを送ると任意コード実行されてしまうため、Webサーバー乗っ取りの典型ルートです。
📌 Example
CVE-2017-9805 (Apache Struts2 REST Plugin): XMLデシリアライズによるRCEで、Equifax事件 (1.4億人個人情報流出) の直接原因となった。

🔖 Related tags

🛡 Vulnerabilities tagged with this 492

ID Title
CVE-2026-42211 React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
CVE-2026-34993 Unsafe Deserialization in aiohttp (CVE-2026-34993)
CVE-2026-24237 Unsafe Deserialization in deserialization (CVE-2026-24237)
CVE-2026-24221 Unsafe Deserialization in deserialization (CVE-2026-24221)
CVE-2026-39555 Deserialization of Untrusted Data vulnerability in Elated-Themes Askka allows Object Injection. ...
CVE-2026-39551 Unsafe Deserialization in deserialization (CVE-2026-39551)
CVE-2026-39550 Unsafe Deserialization in deserialization (CVE-2026-39550)
CVE-2026-10566 Vulnerability in deserialization (CVE-2026-10566)
CVE-2026-9330 Unsafe Deserialization in deserialization (CVE-2026-9330)
CVE-2026-9319 Unsafe Deserialization in deserialization (CVE-2026-9319)
CVE-2026-49121 Unsafe Deserialization in amd (CVE-2026-49121)
CVE-2026-38950 Unsafe Deserialization in deserialization (CVE-2026-38950)
CVE-2026-10532 Unsafe Deserialization in privilege-escalation (CVE-2026-10532)
CVE-2026-7858 Unsafe Deserialization in deserialization (CVE-2026-7858)
CVE-2026-42359 Unsafe Deserialization in apache-airflow (CVE-2026-42359)
CVE-2026-45360 Unsafe Deserialization in apache-airflow (CVE-2026-45360)
CVE-2026-10042 Unsafe Deserialization in deserialization (CVE-2026-10042)
CVE-2025-11993 Unsafe Deserialization in wordpress (CVE-2025-11993)
CVE-2026-9828 Unsafe Deserialization in ch.qos.logback:logback-core (CVE-2026-9828)
CVE-2026-37579 Unsafe Deserialization in CVE-2026-37579 (CVE-2026-37579)
CVE-2026-47161 Unsafe Deserialization in CVE-2026-47161 (CVE-2026-47161)
CVE-2026-48919 Unsafe Deserialization in org.jenkins-ci.plugins:active-directory (CVE-2026-48919)
CVE-2026-48917 Unsafe Deserialization in org.jenkins-ci.plugins:ldap (CVE-2026-48917)
CVE-2026-24162 Unsafe Deserialization in deserialization (CVE-2026-24162)
CVE-2026-45247 KEV [KEV] Unsafe Deserialization in Mirasvit full-page-cache-warmer (CVE-2026-45247)
CVE-2026-9497 Vulnerability in org.mengyun:tcc-transaction (CVE-2026-9497)
CVE-2026-4372 Unsafe Deserialization in transformers (CVE-2026-4372)
CVE-2026-45659 KEV [KEV] Unsafe Deserialization in Microsoft deserialization (CVE-2026-45659)
CVE-2026-41104 Unsafe Deserialization in deserialization (CVE-2026-41104)
CVE-2026-39832 Vulnerability in golang.org/x/crypto (CVE-2026-39832)

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →