CWE-502
AllowedDeserialization of Untrusted Data
Abstraction: Base · Status: Draft
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
4797 vulnerabilities reference this CWE, most recent first.
GHSA-W68H-WPMM-Q4P8
Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-26 18:31Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pelicula: from n/a through < 1.10.
{
"affected": [],
"aliases": [
"CVE-2026-32512"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-25T17:17:03Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pelicula: from n/a through \u003c 1.10.",
"id": "GHSA-w68h-wpmm-q4p8",
"modified": "2026-03-26T18:31:36Z",
"published": "2026-03-25T18:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32512"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/pelicula-video-production-and-movie-theme/vulnerability/wordpress-pelicula-theme-1-10-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W69Q-W4H4-2FX8
Vulnerability from github – Published: 2024-09-19 18:30 – Updated: 2025-07-22 21:41There exists a use after free vulnerability in Reverb. Reverb supports the VARIANT datatype, which is supposed to represent an arbitrary object in C++. When a tensor proto of type VARIANT is unpacked, memory is first allocated to store the entire tensor, and a ctor is called on each instance. Afterwards, Reverb copies the content in tensor_content to the previously mentioned pre-allocated memory, which results in the bytes in tensor_content overwriting the vtable pointers of all the objects which were previously allocated. Reverb exposes 2 relevant gRPC endpoints: InsertStream and SampleStream. The attacker can insert this stream into the server’s database, then when the client next calls SampleStream they will unpack the tensor into RAM, and when any method on that object is called (including its destructor) the attacker gains control of the Program Counter. We recommend upgrading past git commit https://github.com/google-deepmind/reverb/commit/6a0dcf4c9e842b7f999912f792aaa6f6bd261a25
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "dm-reverb"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "dm-reverb-nightly"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.15.0.dev20240214"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-8375"
],
"database_specific": {
"cwe_ids": [
"CWE-416",
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-19T19:47:59Z",
"nvd_published_at": "2024-09-19T16:15:06Z",
"severity": "MODERATE"
},
"details": "There exists a use after free vulnerability in Reverb.\u00a0Reverb supports the VARIANT datatype, which is supposed to represent an arbitrary object in C++. When a tensor proto of type VARIANT is unpacked, memory is first allocated to store the entire tensor, and a ctor is called on each instance. Afterwards, Reverb copies the content in tensor_content\u00a0to the previously mentioned pre-allocated memory, which results in the bytes in tensor_content\u00a0overwriting the vtable pointers of all the objects which were previously allocated.\u00a0Reverb exposes 2 relevant gRPC endpoints: InsertStream and SampleStream. The attacker can insert this stream into the server\u2019s database, then when the client next calls SampleStream they will unpack the tensor into RAM, and when any method on that object is called (including its destructor) the attacker gains control of the Program Counter. We recommend upgrading past git commit\u00a0 https://github.com/google-deepmind/reverb/commit/6a0dcf4c9e842b7f999912f792aaa6f6bd261a25",
"id": "GHSA-w69q-w4h4-2fx8",
"modified": "2025-07-22T21:41:44Z",
"published": "2024-09-19T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8375"
},
{
"type": "WEB",
"url": "https://github.com/google-deepmind/reverb/issues/141"
},
{
"type": "WEB",
"url": "https://github.com/google-deepmind/reverb/commit/6a0dcf4c9e842b7f999912f792aaa6f6bd261a25"
},
{
"type": "PACKAGE",
"url": "https://github.com/google-deepmind/reverb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Reverb use after free vulnerability"
}
GHSA-W6J7-CG7R-5H58
Vulnerability from github – Published: 2024-01-27 12:30 – Updated: 2024-01-27 12:30A vulnerability was found in StanfordVL GibsonEnv 0.3.1. It has been classified as critical. Affected is the function cloudpickle.load of the file gibson\utils\pposgd_fuse.py. The manipulation leads to deserialization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252204.
{
"affected": [],
"aliases": [
"CVE-2024-0959"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-27T11:15:17Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in StanfordVL GibsonEnv 0.3.1. It has been classified as critical. Affected is the function cloudpickle.load of the file gibson\\utils\\pposgd_fuse.py. The manipulation leads to deserialization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252204.",
"id": "GHSA-w6j7-cg7r-5h58",
"modified": "2024-01-27T12:30:25Z",
"published": "2024-01-27T12:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0959"
},
{
"type": "WEB",
"url": "https://github.com/bayuncao/vul-cve-7"
},
{
"type": "WEB",
"url": "https://github.com/bayuncao/vul-cve-7/blob/main/dataset.pkl"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.252204"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.252204"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-W6JR-WJ64-MC9X
Vulnerability from github – Published: 2022-01-06 22:52 – Updated: 2022-01-06 19:32Impact
Deserialization of Untrusted Data was found in the old() function in CodeIgniter4.
Remote attackers may inject auto-loadable arbitrary objects with this vulnerability,
and possibly execute existing PHP code on the server.
We are aware of a working exploit, which can lead to SQL injection.
Patches
Upgrade to v4.1.6 or later.
Workarounds
Do not use:
- old() and form_helper
- RedirectResponse::withInput() and redirect()->withInput()
References
For more information
If you have any questions or comments about this advisory: * Open an issue in codeigniter4/CodeIgniter4 * Email us at SECURITY.md
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "codeigniter4/framework"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-21647"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2022-01-06T19:32:43Z",
"nvd_published_at": "2022-01-04T20:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nDeserialization of Untrusted Data was found in the `old()` function in CodeIgniter4.\nRemote attackers may inject auto-loadable arbitrary objects with this vulnerability, \nand possibly execute existing PHP code on the server.\nWe are aware of a working exploit, which can lead to SQL injection.\n\n### Patches\nUpgrade to v4.1.6 or later.\n\n### Workarounds\nDo not use:\n- `old()` and form_helper\n- `RedirectResponse::withInput()` and `redirect()-\u003ewithInput()`\n\n### References\n- [PHP Object Injection | OWASP](https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [codeigniter4/CodeIgniter4](https://github.com/codeigniter4/CodeIgniter4/issues)\n* Email us at [SECURITY.md](https://github.com/codeigniter4/CodeIgniter4/blob/develop/SECURITY.md)\n",
"id": "GHSA-w6jr-wj64-mc9x",
"modified": "2022-01-06T19:32:43Z",
"published": "2022-01-06T22:52:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-w6jr-wj64-mc9x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21647"
},
{
"type": "WEB",
"url": "https://github.com/codeigniter4/CodeIgniter4/commit/ce95ed5765256e2f09f3513e7d42790e0d6948f5"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/codeigniter4/framework/CVE-2022-21647.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/codeigniter4/CodeIgniter4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Deserialization of Untrusted Data in Codeigniter4"
}
GHSA-W6PX-4FHM-XXGC
Vulnerability from github – Published: 2022-05-24 17:47 – Updated: 2022-05-24 17:47The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.
{
"affected": [],
"aliases": [
"CVE-2021-24217"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-12T14:15:00Z",
"severity": "HIGH"
},
"details": "The run_action function of the Facebook for WordPress plugin before 3.0.0 deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.",
"id": "GHSA-w6px-4fhm-xxgc",
"modified": "2022-05-24T17:47:07Z",
"published": "2022-05-24T17:47:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-24217"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/509f2754-a1a1-4142-9126-ae023a88533a"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W6RX-9G2X-MG5G
Vulnerability from github – Published: 2024-12-10 00:31 – Updated: 2025-06-04 00:43Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to unserialize(). There are no such known exploits in Drupal core.
To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a TypeError.
This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "8.8.0"
},
{
"fixed": "10.2.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "10.3.0"
},
{
"fixed": "10.3.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core-recommended"
},
"ranges": [
{
"events": [
{
"introduced": "8.8.0"
},
{
"fixed": "10.2.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core-recommended"
},
"ranges": [
{
"events": [
{
"introduced": "10.3.0"
},
{
"fixed": "10.3.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/core-recommended"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/drupal"
},
"ranges": [
{
"events": [
{
"introduced": "8.8.0"
},
{
"fixed": "10.2.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/drupal"
},
"ranges": [
{
"events": [
{
"introduced": "10.3.0"
},
{
"fixed": "10.3.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "drupal/drupal"
},
"ranges": [
{
"events": [
{
"introduced": "11.0.0"
},
{
"fixed": "11.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-55637"
],
"database_specific": {
"cwe_ids": [
"CWE-502",
"CWE-915"
],
"github_reviewed": true,
"github_reviewed_at": "2024-12-10T19:09:22Z",
"nvd_published_at": "2024-12-10T00:15:22Z",
"severity": "HIGH"
},
"details": "Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.\n\nThis issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core.\n\nTo help protect against this potential vulnerability, types have been added to properties in some of Drupal core\u0027s classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`.\n\nThis issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.",
"id": "GHSA-w6rx-9g2x-mg5g",
"modified": "2025-06-04T00:43:36Z",
"published": "2024-12-10T00:31:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55637"
},
{
"type": "WEB",
"url": "https://github.com/drupal/core/commit/1664030d399c73b4144f410f2ccc68c66a947f8d"
},
{
"type": "PACKAGE",
"url": "https://github.com/drupal/core"
},
{
"type": "WEB",
"url": "https://www.drupal.org/sa-core-2024-007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Drupal core contains a potential PHP Object Injection vulnerability"
}
GHSA-W726-M5F9-394J
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Deserialization of Untrusted Data vulnerability in Themeton The Barber Shop allows Object Injection.
This issue affects The Barber Shop: from n/a through 1.9.
{
"affected": [],
"aliases": [
"CVE-2025-60230"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T14:17:31Z",
"severity": "CRITICAL"
},
"details": "Deserialization of Untrusted Data vulnerability in Themeton The Barber Shop allows Object Injection.\n\nThis issue affects The Barber Shop: from n/a through 1.9.",
"id": "GHSA-w726-m5f9-394j",
"modified": "2026-06-17T18:35:53Z",
"published": "2026-06-17T18:35:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60230"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/theme/nrgbarbershop/vulnerability/wordpress-the-barber-shop-theme-1-9-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W729-7633-2FW5
Vulnerability from github – Published: 2021-10-27 18:52 – Updated: 2021-10-29 13:51An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.storm:storm"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.storm:storm"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.2.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.storm:storm"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-40865"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2021-10-26T17:53:48Z",
"nvd_published_at": "2021-10-25T13:15:00Z",
"severity": "CRITICAL"
},
"details": "An Unsafe Deserialization vulnerability exists in the worker services of the Apache Storm supervisor server allowing pre-auth Remote Code Execution (RCE). Apache Storm 2.2.x users should upgrade to version 2.2.1 or 2.3.0. Apache Storm 2.1.x users should upgrade to version 2.1.1. Apache Storm 1.x users should upgrade to version 1.2.4",
"id": "GHSA-w729-7633-2fw5",
"modified": "2021-10-29T13:51:56Z",
"published": "2021-10-27T18:52:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40865"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r8d45e74299897b6734dd0f788c46a631009ce2eeb731523386f7a253%40%3Cuser.storm.apache.org%3E"
},
{
"type": "WEB",
"url": "https://seclists.org/oss-sec/2021/q4/45"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Deserialization of Untrusted Data leading to Remote Code Execution in Apache Storm"
}
GHSA-W734-7QF2-5392
Vulnerability from github – Published: 2024-04-24 09:30 – Updated: 2026-04-01 18:31Deserialization of Untrusted Data vulnerability in Import and export users and customers.This issue affects Import and export users and customers: from n/a through 1.26.2.
{
"affected": [],
"aliases": [
"CVE-2024-32817"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-24T08:15:40Z",
"severity": "MODERATE"
},
"details": "Deserialization of Untrusted Data vulnerability in Import and export users and customers.This issue affects Import and export users and customers: from n/a through 1.26.2.",
"id": "GHSA-w734-7qf2-5392",
"modified": "2026-04-01T18:31:46Z",
"published": "2024-04-24T09:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32817"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/import-users-from-csv-with-meta/vulnerability/wordpress-import-and-export-users-and-customers-plugin-1-26-2-php-object-injection-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/import-users-from-csv-with-meta/wordpress-import-and-export-users-and-customers-plugin-1-26-2-php-object-injection-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-W776-2RQX-9PJH
Vulnerability from github – Published: 2026-06-10 09:31 – Updated: 2026-06-10 09:31An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deserialize arbitrary objects. This vulnerability could lead to broken security expectations or remote code execution.
{
"affected": [],
"aliases": [
"CVE-2026-11815"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-10T07:16:24Z",
"severity": "MODERATE"
},
"details": "An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deserialize arbitrary objects. This vulnerability could lead to broken security expectations or remote code execution.",
"id": "GHSA-w776-2rqx-9pjh",
"modified": "2026-06-10T09:31:57Z",
"published": "2026-06-10T09:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11815"
},
{
"type": "WEB",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37631"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
Mitigation
When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.
Mitigation
Explicitly define a final object() to prevent deserialization.
Mitigation
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Mitigation
Avoid having unnecessary types or gadgets (a sequence of instances and method invocations that can self-execute during the deserialization process, often found in libraries) available that can be leveraged for malicious ends. This limits the potential for unintended or unauthorized types and gadgets to be leveraged by the attacker. Add only acceptable classes to an allowlist. Note: new gadgets are constantly being discovered, so this alone is not a sufficient mitigation.
Mitigation
Employ cryptography of the data or code for protection. However, it's important to note that it would still be client-side security. This is risky because if the client is compromised then the security implemented on the client (the cryptography) can be bypassed.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.