Cwe 502

🧬 CWE Related 70
slug: cwe-502

Explanation

CWE-502は「シリアライズされたデータ (オブジェクトをバイト列に変換したもの) を信頼せずに復元 (デシリアライズ) してしまう」欠陥です。 Java・Python・PHP・.NETなどで、攻撃者が細工したオブジェクトを送ると任意コード実行されてしまうため、Webサーバー乗っ取りの典型ルートです。
📌 Example
CVE-2017-9805 (Apache Struts2 REST Plugin): XMLデシリアライズによるRCEで、Equifax事件 (1.4億人個人情報流出) の直接原因となった。

🔖 Related tags

🛡 Vulnerabilities tagged with this 492

ID Title
CVE-2025-56422 Unsafe Deserialization in deserialization (CVE-2025-56422)
CVE-2025-26399 KEV [KEV] Unsafe Deserialization in Solarwinds web-help-desk (CVE-2025-26399)
CVE-2026-27830 Code Injection in deserialization (CVE-2026-27830)
CVE-2026-27727 Vulnerability in mchange (CVE-2026-27727)
CVE-2026-25747 Unsafe Deserialization in apache (CVE-2026-25747)
CVE-2025-49113 KEV [KEV] Unsafe Deserialization in Roundcube webmail (CVE-2025-49113)
CVE-2025-69872 Code Injection in CVE-2025-69872 (CVE-2025-69872)
CVE-2025-40551 KEV [KEV] Unsafe Deserialization in Solarwinds web-help-desk (CVE-2025-40551)
CVE-2025-61140 The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.
CVE-2026-24747 Code Injection in linuxfoundation (CVE-2026-24747)
CVE-2026-23864 Vulnerability in react (CVE-2026-23864)
CVE-2025-56005 Unsafe Deserialization in dabeaz (CVE-2025-56005)
CVE-2025-11157 Unsafe Deserialization in CVE-2025-11157 (CVE-2025-11157)
CVE-2025-71339 Unsafe Deserialization in picklescan (CVE-2025-71339)
CVE-2025-61168 Unsafe Deserialization in sigb (CVE-2025-61168)
CVE-2025-59287 KEV [KEV] Unsafe Deserialization in Microsoft windows (CVE-2025-59287)
CVE-2025-10035 KEV [KEV] Unsafe Deserialization in Fortra goanywhere-mft (CVE-2025-10035)
CVE-2025-5086 KEV [KEV] Unsafe Deserialization in Dassault systèmes dassault-systemes (CVE-2025-5086)
CVE-2025-53690 KEV [KEV] Unsafe Deserialization in Sitecore multiple-products (CVE-2025-53690)
CVE-2025-71344 Unsafe Deserialization in picklescan (CVE-2025-71344)
CVE-2025-71358 Unsafe Deserialization in picklescan (CVE-2025-71358)
CVE-2025-71354 Unsafe Deserialization in picklescan (CVE-2025-71354)
CVE-2024-8069 KEV [KEV] Unsafe Deserialization in Citrix session-recording (CVE-2024-8069)
CVE-2024-54678 Unsafe Deserialization in CVE-2024-54678 (CVE-2024-54678)
CVE-2025-25691 Command Injection in deserialization (CVE-2025-25691)
CVE-2025-25692 Command Injection in deserialization (CVE-2025-25692)
CVE-2025-53770 KEV [KEV] Unsafe Deserialization in Microsoft sharepoint (CVE-2025-53770)
CVE-2025-24016 KEV [KEV] Unsafe Deserialization in wazuh (CVE-2025-24016)
CVE-2025-42999 KEV [KEV] Unsafe Deserialization in Sap netweaver (CVE-2025-42999)
CVE-2025-2251 Unsafe Deserialization in deserialization (CVE-2025-2251)

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →