CWE-502 (可信数据的反序列化) — Vulnerability Class 1668

1668 vulnerabilities classified as CWE-502 (可信数据的反序列化). AI Chinese analysis included.

CVE ID	Title	CVSS	Severity	Published
CVE-2026-35464	pyLoad has an incomplete fix for CVE-2026-33509: unprotected storage_folder enables arbitrary file write to Flask session store and code execution — pyload	7.5	High	2026-04-07
CVE-2026-1839	Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers — huggingface/transformers	9.8^AI	Critical^AI	2026-04-07
CVE-2026-5659	pytries datrie trie File datrie.pyx Trie.__setstate__ deserialization — datrie	6.3	Medium	2026-04-06
CVE-2026-5536	FedML-AI FedML gRPC server grpc_server.py sendMessage deserialization — FedML	7.3	High	2026-04-05
CVE-2026-5473	NASA cFS Pickle pickle.load deserialization — cFS	4.5	Medium	2026-04-03
CVE-2026-35537	Roundcube Webmail 代码问题漏洞 — Webmail	3.7	Low	2026-04-03
CVE-2026-34838	Group-Office: Authenticated Remote Code Execution via PHP Insecure Deserialization in `AbstractSettingsCollection` — groupoffice	10.0	Critical	2026-04-02
CVE-2026-29782	OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2 — openstamanager	7.2	High	2026-04-02
CVE-2026-24165	NVIDIA BioNeMo 代码问题漏洞 — BioNeMo Framework	7.8	High	2026-03-31
CVE-2026-24164	NVIDIA BioNeMo 代码问题漏洞 — BioNeMo Framework	8.8	High	2026-03-31
CVE-2026-4266	WatchGuard Firebox Insecure Deserialization in Fireware Access Portal — Fireware OS	7.8	-	2026-03-30
CVE-2026-4416	GIGABYTE｜Performance Library - Insecure Deserialization — Performance Library	7.8	High	2026-03-30
CVE-2026-4851	GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization — GRID::Machine	9.8	-	2026-03-29
CVE-2026-33728	dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution — dd-trace-java	8.1	-	2026-03-27
CVE-2026-33725	Metabase vulnerable to RCE and Arbitrary File Read via H2 JDBC INIT Injection in EE Serialization Import — metabase	7.2	High	2026-03-27
CVE-2026-33701	OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution — opentelemetry-java-instrumentation	8.1	-	2026-03-27
CVE-2026-4860	648540858 wvp-GB28181-pro API Endpoint RedisTemplateConfig.java GenericFastJsonRedisSerializer deserialization — wvp-GB28181-pro	7.3	High	2026-03-26
CVE-2026-3328	Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts — Frontend Admin by DynamiApps	7.2	High	2026-03-26
CVE-2026-33942	Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE) — saloon	8.8	-	2026-03-26
CVE-2026-32512	WordPress Pelicula theme < 1.10 - PHP Object Injection vulnerability — Pelicula	9.8	-	2026-03-25
CVE-2026-32513	WordPress JS Archive List plugin <= 6.1.7 - PHP Object Injection vulnerability — JS Archive List	8.8	-	2026-03-25
CVE-2026-32511	WordPress Stål theme < 1.7 - Arbitrary Object Instantiation vulnerability — Stål	9.8	-	2026-03-25
CVE-2026-32510	WordPress Kamperen theme < 1.3 - Arbitrary Object Instantiation vulnerability — Kamperen	9.8	-	2026-03-25
CVE-2026-32507	WordPress Leroux theme < 1.4 - Arbitrary Object Instantiation vulnerability — Leroux	9.8	-	2026-03-25
CVE-2026-32506	WordPress Archicon theme < 1.7 - Arbitrary Object Instantiation vulnerability — Archicon	9.8	-	2026-03-25
CVE-2026-32509	WordPress Gracey theme < 1.4 - Arbitrary Object Instantiation vulnerability — Gracey	9.8	-	2026-03-25
CVE-2026-32508	WordPress Halstein theme < 1.8 - Arbitrary Object Instantiation vulnerability — Halstein	9.8	-	2026-03-25
CVE-2026-32502	WordPress Borgholm theme < 1.6 - PHP Object Injection vulnerability — Borgholm	9.8	-	2026-03-25
CVE-2026-32484	WordPress weForms plugin <= 1.6.26 - PHP Object Injection vulnerability — weForms	9.8	-	2026-03-25
CVE-2026-27095	WordPress Bus Ticket Booking with Seat Reservation plugin <= 5.6.0 - PHP Object Injection vulnerability — Bus Ticket Booking with Seat Reservation	9.8	Critical	2026-03-25

Vulnerabilities classified as CWE-502 (可信数据的反序列化) represent 1668 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.

Goal Reached Thanks to every supporter — we hit 100%!

CWE-502 (可信数据的反序列化) — Vulnerability Class 1668