Common Weakness Enumeration

CWE-502

Allowed

Deserialization of Untrusted Data

Abstraction: Base · Status: Draft

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

4797 vulnerabilities reference this CWE, most recent first.

GHSA-2FJ3-QVR8-Q2C6

Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-26 18:31
VLAI
Details

Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.This issue affects Apicona: from n/a through <= 24.1.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-25400"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T17:16:49Z",
    "severity": "HIGH"
  },
  "details": "Deserialization of Untrusted Data vulnerability in thememount Apicona apicona allows Object Injection.This issue affects Apicona: from n/a through \u003c= 24.1.0.",
  "id": "GHSA-2fj3-qvr8-q2c6",
  "modified": "2026-03-26T18:31:34Z",
  "published": "2026-03-25T18:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25400"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Theme/apicona/vulnerability/wordpress-apicona-theme-24-1-0-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2FMJ-C726-JMV7

Vulnerability from github – Published: 2026-06-30 21:31 – Updated: 2026-06-30 21:31
VLAI
Details

IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-7871"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-30T20:17:31Z",
    "severity": "CRITICAL"
  },
  "details": "IBM Langflow OSS 1.0.0 through 1.10.0 allows users with Redis access to execute arbitrary code with full application privileges, compromising all secrets, data, and system integrity.",
  "id": "GHSA-2fmj-c726-jmv7",
  "modified": "2026-06-30T21:31:44Z",
  "published": "2026-06-30T21:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7871"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7278443"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2FMJ-P74R-3WJM

Vulnerability from github – Published: 2026-06-26 22:10 – Updated: 2026-06-26 22:10
VLAI
Summary
PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)
Details

Summary

pontedilana/php-weasyprint guarded the output filename against the phar:// stream wrapper with a case-sensitive blacklist:

if (0 === \strpos($filename, 'phar://')) {
    throw new \InvalidArgumentException('The output file cannot be a phar archive.');
}

PHP stream wrappers are case-insensitive, so PHAR://, Phar://, etc. bypass the check and reach fileExists() (file_exists()) in prepareOutput(). On PHP 7 (which the library still supports — PHP 7.4+), this triggers deserialization of a crafted PHAR archive's metadata, leading to remote code execution. This is the patch-bypass of CVE-2023-28115.

The same issue and fix were handled upstream in KnpLabs/snappy (GHSA-92rv-4j2h-8mjj).

Affected versions

pontedilana/php-weasyprint versions <= 2.5.1 (the case-sensitive guard was introduced in commit eb8accc, "Implement countermeasures for CVE-2023-28115").

Patched in: 2.6.0.

Privilege required

A caller able to control the output filename passed to generate() / generateFromHtml(), plus the ability to place a PHAR archive on the filesystem (e.g. via an upload). Exploitation of the deserialization requires the server to run PHP < 8.

Vulnerable code

src/AbstractGenerator.php, prepareOutput():

if (0 === \strpos($filename, 'phar://')) {
    throw new \InvalidArgumentException('The output file cannot be a phar archive.');
}

strpos($filename, 'phar://') matches only the exact lowercase string, while the wrapper resolution is case-insensitive — PHAR://payload.phar is not caught.

Proof of concept

# Craft a PHAR with a fast-destruct gadget chain
phpggc -f Monolog/RCE1 exec 'touch /tmp/exploit' -p phar -o exploit.phar
<?php
use Pontedilana\PhpWeasyPrint\Pdf;

$pdf = new Pdf('/usr/local/bin/weasyprint');
// Case-altered wrapper bypasses the lowercase 'phar://' blacklist
$pdf->generateFromHtml('<h1>POC</h1>', 'PHAR://exploit.phar');
// On PHP < 8, the PHAR metadata is deserialized -> /tmp/exploit is created

Impact

  • Remote code execution and filesystem access through PHAR metadata deserialization on PHP < 8, when the output filename is attacker-influenced and a PHAR can be planted.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1, High) — Critical in deployments running PHP 7 with an upload surface; adjust to your environment.

CWE-502 (Deserialization of Untrusted Data).

Suggested fix

Replace the case-sensitive blacklist with a scheme allow-list (file / no scheme), comparing the lowercased scheme parsed from the filename:

protected const ALLOWED_PROTOCOLS = ['file'];

protected function isProtocolAllowed(string $filename): bool
{
    if (false === $parsed = \parse_url($filename)) {
        throw new \InvalidArgumentException('The filename is not valid.');
    }
    $protocol = isset($parsed['scheme']) ? \strtolower($parsed['scheme']) : 'file';
    // ...special-case Windows drive letters (C:\...) as 'file'...
    return \in_array($protocol, self::ALLOWED_PROTOCOLS, true);
}

prepareOutput() then rejects any non-file scheme (phar, PHAR, php, http, ...) before file_exists() is reached.

Credit

Original vulnerability and patch-bypass reported upstream to KnpLabs/snappy by Rémi Matasse of Synacktiv (GHSA-92rv-4j2h-8mjj); identified as applicable to pontedilana/php-weasyprint, which mirrors the same code.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.5.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "pontedilana/php-weasyprint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49286"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T22:10:00Z",
    "nvd_published_at": "2026-06-19T18:16:19Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`pontedilana/php-weasyprint` guarded the output filename against the `phar://` stream wrapper with a case-sensitive blacklist:\n\n```php\nif (0 === \\strpos($filename, \u0027phar://\u0027)) {\n    throw new \\InvalidArgumentException(\u0027The output file cannot be a phar archive.\u0027);\n}\n```\n\nPHP stream wrappers are **case-insensitive**, so `PHAR://`, `Phar://`, etc. bypass the check and reach `fileExists()` (`file_exists()`) in `prepareOutput()`. On PHP 7 (which the library still supports \u2014 PHP 7.4+), this triggers deserialization of a crafted PHAR archive\u0027s metadata, leading to remote code execution. This is the patch-bypass of CVE-2023-28115.\n\nThe same issue and fix were handled upstream in KnpLabs/snappy ([GHSA-92rv-4j2h-8mjj](https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj)).\n\n### Affected versions\n\n`pontedilana/php-weasyprint` versions `\u003c= 2.5.1` (the case-sensitive guard was introduced in commit `eb8accc`, \"Implement countermeasures for CVE-2023-28115\").\n\nPatched in: `2.6.0`.\n\n### Privilege required\n\nA caller able to control the output filename passed to `generate()` / `generateFromHtml()`, plus the ability to place a PHAR archive on the filesystem (e.g. via an upload). Exploitation of the deserialization requires the server to run PHP \u003c 8.\n\n### Vulnerable code\n\n`src/AbstractGenerator.php`, `prepareOutput()`:\n\n```php\nif (0 === \\strpos($filename, \u0027phar://\u0027)) {\n    throw new \\InvalidArgumentException(\u0027The output file cannot be a phar archive.\u0027);\n}\n```\n\n`strpos($filename, \u0027phar://\u0027)` matches only the exact lowercase string, while the wrapper resolution is case-insensitive \u2014 `PHAR://payload.phar` is not caught.\n\n### Proof of concept\n\n```bash\n# Craft a PHAR with a fast-destruct gadget chain\nphpggc -f Monolog/RCE1 exec \u0027touch /tmp/exploit\u0027 -p phar -o exploit.phar\n```\n\n```php\n\u003c?php\nuse Pontedilana\\PhpWeasyPrint\\Pdf;\n\n$pdf = new Pdf(\u0027/usr/local/bin/weasyprint\u0027);\n// Case-altered wrapper bypasses the lowercase \u0027phar://\u0027 blacklist\n$pdf-\u003egenerateFromHtml(\u0027\u003ch1\u003ePOC\u003c/h1\u003e\u0027, \u0027PHAR://exploit.phar\u0027);\n// On PHP \u003c 8, the PHAR metadata is deserialized -\u003e /tmp/exploit is created\n```\n\n### Impact\n\n- Remote code execution and filesystem access through PHAR metadata deserialization on PHP \u003c 8, when the output filename is attacker-influenced and a PHAR can be planted.\n\nCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1, High) \u2014 Critical in deployments running PHP 7 with an upload surface; adjust to your environment.\n\nCWE-502 (Deserialization of Untrusted Data).\n\n### Suggested fix\n\nReplace the case-sensitive blacklist with a scheme allow-list (`file` / no scheme), comparing the lowercased scheme parsed from the filename:\n\n```php\nprotected const ALLOWED_PROTOCOLS = [\u0027file\u0027];\n\nprotected function isProtocolAllowed(string $filename): bool\n{\n    if (false === $parsed = \\parse_url($filename)) {\n        throw new \\InvalidArgumentException(\u0027The filename is not valid.\u0027);\n    }\n    $protocol = isset($parsed[\u0027scheme\u0027]) ? \\strtolower($parsed[\u0027scheme\u0027]) : \u0027file\u0027;\n    // ...special-case Windows drive letters (C:\\...) as \u0027file\u0027...\n    return \\in_array($protocol, self::ALLOWED_PROTOCOLS, true);\n}\n```\n\n`prepareOutput()` then rejects any non-`file` scheme (`phar`, `PHAR`, `php`, `http`, ...) before `file_exists()` is reached.\n\n### Credit\n\nOriginal vulnerability and patch-bypass reported upstream to KnpLabs/snappy by R\u00e9mi Matasse of Synacktiv ([GHSA-92rv-4j2h-8mjj](https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj)); identified as applicable to `pontedilana/php-weasyprint`, which mirrors the same code.",
  "id": "GHSA-2fmj-p74r-3wjm",
  "modified": "2026-06-26T22:10:00Z",
  "published": "2026-06-26T22:10:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pontedilana/php-weasyprint/security/advisories/GHSA-2fmj-p74r-3wjm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49286"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pontedilana/php-weasyprint/commit/d1aa487722b5a3cab9b222b85fdb5608a5a550c3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pontedilana/php-weasyprint"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pontedilana/php-weasyprint/releases/tag/2.6.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)"
}

GHSA-2G4W-JFV5-FGMR

Vulnerability from github – Published: 2025-12-18 09:30 – Updated: 2026-01-20 15:32
VLAI
Details

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Object Injection.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-18T08:16:09Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Object Injection.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through \u003c= 1.3.5.",
  "id": "GHSA-2g4w-jfv5-fgmr",
  "modified": "2026-01-20T15:32:30Z",
  "published": "2025-12-18T09:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60089"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/gf-freshdesk/vulnerability/wordpress-wp-gravity-forms-freshdesk-plugin-plugin-1-3-5-deserialization-of-untrusted-data-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/gf-freshdesk/vulnerability/wordpress-wp-gravity-forms-freshdesk-plugin-plugin-1-3-5-deserialization-of-untrusted-data-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2G6J-8HM3-67HP

Vulnerability from github – Published: 2025-05-23 15:31 – Updated: 2026-04-01 18:35
VLAI
Details

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Tour | Travel Agency WordPress allows Object Injection. This issue affects Grand Tour | Travel Agency WordPress: from n/a through 5.5.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-23T13:15:30Z",
    "severity": "CRITICAL"
  },
  "details": "Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Tour | Travel Agency WordPress allows Object Injection. This issue affects Grand Tour | Travel Agency WordPress: from n/a through 5.5.1.",
  "id": "GHSA-2g6j-8hm3-67hp",
  "modified": "2026-04-01T18:35:14Z",
  "published": "2025-05-23T15:31:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39485"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/theme/grandtour/vulnerability/wordpress-grandtour-theme-5-5-1-php-object-injection-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GF3-M6C4-6GX9

Vulnerability from github – Published: 2025-01-30 15:31 – Updated: 2026-04-08 18:33
VLAI
Details

The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the reqpars parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-13742"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-30T14:15:36Z",
    "severity": "CRITICAL"
  },
  "details": "The iControlWP \u2013 Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the reqpars parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.",
  "id": "GHSA-2gf3-m6c4-6gx9",
  "modified": "2026-04-08T18:33:48Z",
  "published": "2025-01-30T15:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13742"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/worpit-admin-dashboard-plugin/tags/4.4.5/lib/src/LegacyApi/RequestParameters.php#L42"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/worpit-admin-dashboard-plugin/tags/4.4.5/src/api/RequestParameters.php#L14"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3231425%40worpit-admin-dashboard-plugin\u0026new=3231425%40worpit-admin-dashboard-plugin\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f25b0cc-60ec-49a0-8356-fd3fba97e987?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2GHQ-FX5M-357P

Vulnerability from github – Published: 2025-03-03 15:31 – Updated: 2025-09-02 21:30
VLAI
Details

Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47092"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-03T14:15:33Z",
    "severity": "HIGH"
  },
  "details": "Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1",
  "id": "GHSA-2ghq-fx5m-357p",
  "modified": "2025-09-02T21:30:56Z",
  "published": "2025-03-03T15:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47092"
    },
    {
      "type": "WEB",
      "url": "https://github.com/HeinleinSupport/check_mk_extensions/commit/b5a2a7529e3367d7a643e66f05da4f2a27013904"
    },
    {
      "type": "WEB",
      "url": "https://exchange.checkmk.com/p/check-mk-api"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2GMP-34J9-FQJM

Vulnerability from github – Published: 2026-04-01 18:36 – Updated: 2026-04-03 23:15
VLAI
Summary
Replicator deserializes untrusted user input
Details

An unauthenticated Remote Code Execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "replicator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-2265"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T23:15:20Z",
    "nvd_published_at": "2026-04-01T17:28:38Z",
    "severity": "MODERATE"
  },
  "details": "An unauthenticated Remote Code Execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object.",
  "id": "GHSA-2gmp-34j9-fqjm",
  "modified": "2026-04-03T23:15:20Z",
  "published": "2026-04-01T18:36:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2265"
    },
    {
      "type": "WEB",
      "url": "https://github.com/inikulin/replicator/pull/19"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/inikulin/replicator"
    },
    {
      "type": "WEB",
      "url": "https://morielharush.github.io/2026/03/31/cve-2026-2265-replicator-deserialization-of-untrusted-data"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Replicator deserializes untrusted user input"
}

GHSA-2GMP-8PR5-3JC6

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10
VLAI
Details

In JetBrains TeamCity before 2020.2.4, there was an insecure deserialization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37544"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-06T14:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In JetBrains TeamCity before 2020.2.4, there was an insecure deserialization.",
  "id": "GHSA-2gmp-8pr5-3jc6",
  "modified": "2022-05-24T19:10:18Z",
  "published": "2022-05-24T19:10:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37544"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-2GXW-G2PJ-PX2Q

Vulnerability from github – Published: 2025-01-07 06:32 – Updated: 2026-04-08 18:33
VLAI
Details

The Custom Product Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8.5 via deserialization of untrusted input in the 'yikes_woo_products_tabs' post meta parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11465"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-07T05:15:13Z",
    "severity": "HIGH"
  },
  "details": "The Custom Product Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8.5 via deserialization of untrusted input in the \u0027yikes_woo_products_tabs\u0027 post meta parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.",
  "id": "GHSA-2gxw-g2pj-px2q",
  "modified": "2026-04-08T18:33:47Z",
  "published": "2025-01-07T06:32:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11465"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/yikes-inc-easy-custom-woocommerce-product-tabs/trunk/admin/class.yikes-woo-generate-html.php#L19"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/yikes-inc-easy-custom-woocommerce-product-tabs/trunk/admin/class.yikes-woo-saved-tabs.php#L222"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/yikes-inc-easy-custom-woocommerce-product-tabs/trunk/admin/class.yikes-woo-saved-tabs.php#L449"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/yikes-inc-easy-custom-woocommerce-product-tabs/trunk/public/class.yikes-woo-tabs-display.php#L47"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/yikes-inc-easy-custom-woocommerce-product-tabs/trunk/yikes-inc-easy-custom-woocommerce-product-tabs.php#L262"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3271575"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ad0d6eb-aafa-4f0b-bf1c-73d94e361087?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design Implementation

If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.

Mitigation
Implementation

When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Mitigation
Implementation

Explicitly define a final object() to prevent deserialization.

Mitigation
Architecture and Design Implementation
  • Make fields transient to protect them from deserialization.
  • An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Implementation

Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.

Mitigation
Architecture and Design Implementation

Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.

Mitigation MIT-29
Operation

Strategy: Firewall

Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].

CAPEC-586: Object Injection

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.