Cwe 502

🧬 CWE Related 70
slug: cwe-502

Explanation

CWE-502は「シリアライズされたデータ (オブジェクトをバイト列に変換したもの) を信頼せずに復元 (デシリアライズ) してしまう」欠陥です。 Java・Python・PHP・.NETなどで、攻撃者が細工したオブジェクトを送ると任意コード実行されてしまうため、Webサーバー乗っ取りの典型ルートです。
📌 Example
CVE-2017-9805 (Apache Struts2 REST Plugin): XMLデシリアライズによるRCEで、Equifax事件 (1.4億人個人情報流出) の直接原因となった。

🔖 Related tags

🛡 Vulnerabilities tagged with this 492

ID Title
CVE-2026-35300 Unsafe Deserialization in c (CVE-2026-35300)
CVE-2026-48775 Unsafe Deserialization in langgraph-checkpoint (CVE-2026-48775)
CVE-2026-10748 Unsafe Deserialization in CVE-2026-10748 (CVE-2026-10748)
CVE-2026-24228 Unsafe Deserialization in deserialization (CVE-2026-24228)
CVE-2026-48853 Unsafe Deserialization in deserialization (CVE-2026-48853)
CVE-2026-9691 Unsafe Deserialization in CVE-2026-9691 (CVE-2026-9691)
CVE-2026-49769 Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions.
CVE-2026-49768 Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions.
CVE-2026-49781 Unauthenticated PHP Object Injection in OttoKit <= 1.1.27 versions.
CVE-2026-49770 Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions.
CVE-2026-49765 Unsafe Deserialization in CVE-2026-49765 (CVE-2026-49765)
CVE-2026-49763 Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions.
CVE-2026-49105 Unsafe Deserialization in CVE-2026-49105 (CVE-2026-49105)
CVE-2026-49106 Unsafe Deserialization in CVE-2026-49106 (CVE-2026-49106)
CVE-2026-49104 Unsafe Deserialization in CVE-2026-49104 (CVE-2026-49104)
CVE-2026-49085 Unsafe Deserialization in CVE-2026-49085 (CVE-2026-49085)
CVE-2026-49109 Unsafe Deserialization in CVE-2026-49109 (CVE-2026-49109)
CVE-2026-42687 Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions.
CVE-2026-39532 Contributor PHP Object Injection in Events Calendar for GeoDirectory <= 2.3.25 versions.
CVE-2026-39471 Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.
CVE-2026-39474 Contributor PHP Object Injection in Post Duplicator <= 3.0.10 versions.
CVE-2026-39478 Unsafe Deserialization in CVE-2026-39478 (CVE-2026-39478)
CVE-2026-39472 Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions.
CVE-2026-39481 Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions.
CVE-2026-39499 Unsafe Deserialization in CVE-2026-39499 (CVE-2026-39499)
CVE-2026-39498 Shop manager PHP Object Injection in YayMail <= 4.3.3 versions.
CVE-2026-27333 Unsafe Deserialization in deserialization (CVE-2026-27333)
CVE-2026-27053 Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions.
CVE-2026-39434 Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions.
CVE-2026-39006 Vulnerability in CVE-2026-39006 (CVE-2026-39006)

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →