Skip to main content

CWE-502

Deserialization of Untrusted Data

2321 CVEs Avg CVSS 8.6 MITRE
941
CRITICAL
1178
HIGH
175
MEDIUM
24
LOW
468
POC
61
KEV

Monthly

CVE-2026-24227 MEDIUM This Month

NVIDIA TensorRT for contains a vulnerability where a user might cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution.

Nvidia RCE Deserialization Tensorrt
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-24220 MEDIUM This Month

NVIDIA TensorRT-LLM for any platform contains a vulnerability in visual gen server, where an attacker could cause an unsafe deserialization by unauthorized zeroMQ deserialization. A successful exploit of this vulnerability might lead to code execution.

Nvidia RCE Deserialization Tensorrt Llm
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-47472 HIGH This Week

Local privilege-context deserialization in NVIDIA TensorRT-LLM lets an attacker who already has same-user access to a host running the inference stack abuse its inter-process communication layer to trigger unsafe object deserialization (CWE-502), potentially yielding code execution, information disclosure, data tampering, and denial of service. The flaw is vendor-reported by NVIDIA and carries a CVSS 3.1 base of 7.8 (AV:L), meaning it is not remotely reachable but converts existing local access into full compromise of the model-serving process. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Nvidia Denial Of Service Information Disclosure Deserialization RCE +1
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-24233 HIGH This Week

Insecure deserialization in NVIDIA TensorRT-LLM for Linux lets a local, low-privileged attacker abuse a weakness in the restricted unpickler that handles model-weight loading, potentially achieving code execution, privilege escalation, data tampering, and information disclosure. The flaw (CWE-502, CVSS 8.4) affects the GPU LLM-inference library and stems from the restricted unpickler failing to fully constrain what can be deserialized from an untrusted model artifact. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Information Disclosure Nvidia RCE Deserialization Tensorrt Llm
NVD
CVSS 3.1
8.4
EPSS
0.3%
CVE-2026-50649 HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft .NET 8.0 and 9.0 (and bundled Visual Studio 2022/2026 toolchains) arises from unsafe deserialization of untrusted data (CWE-502), letting an unprivileged local attacker run arbitrary code in the context of the targeted process once a user is lured into opening or processing a malicious serialized payload. The CVSS 3.1 base score is 7.8 with high impact to confidentiality, integrity, and availability, but the vector (AV:L/UI:R) confines it to local attacks that require user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization Net 8 0 Net 9 0 Microsoft Visual Studio 2022 Version 17 12 Microsoft Visual Studio 2022 Version 17 14 +1
NVD
CVSS 3.1
7.8
EPSS
0.9%
CVE-2026-55944 CRITICAL PATCH NEWS Exploit Likely Act Now

Remote code execution in Microsoft Dynamics NAV 2018 allows an unauthorized, network-based attacker to run arbitrary code by submitting maliciously crafted serialized data that the application deserializes without validation (CWE-502). With a CVSS 9.8 vector requiring no authentication and no user interaction, successful exploitation grants full compromise of the ERP host. Microsoft has released a patch via MSRC; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Microsoft Deserialization Microsoft Dynamics Nav 2018
NVD
CVSS 3.1
9.8
EPSS
1.3%
CVE-2026-50509 HIGH PATCH Exploit Likely This Week

Local privilege escalation in the Windows Wireless Wide Area Network Service (WwanSvc) lets an authenticated low-privileged user elevate to SYSTEM by delivering crafted serialized data that the service deserializes unsafely (CWE-502). Reported by Microsoft, it affects a broad range of Windows 10, Windows 11, and Windows Server builds and carries CVSS 7.8 with high confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis and it is not in CISA KEV, but a vendor patch is available.

Microsoft Deserialization Windows 10 Version 1607 Windows 10 Version 1809 Windows 10 Version 21H2 +10
NVD
CVSS 3.1
7.8
EPSS
2.3%
CVE-2026-50652 HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft Azure Active Directory (now Entra ID) allows a remote, unauthenticated attacker to disrupt service availability by sending crafted serialized data that triggers unsafe deserialization (CWE-502). The flaw carries a CVSS 7.5 (High) with a fully network-reachable, no-privilege, no-interaction vector, but impact is confined to availability - confidentiality and integrity are not affected. Microsoft has released a fix via MSRC; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Microsoft Deserialization Azure Active Directory
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2026-58644 CRITICAL POC PATCH CISA NEWS Exploit Likely Act Now

Remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Server Subscription Edition) allows an unauthenticated network attacker to run arbitrary code on the server by submitting maliciously crafted serialized data (CWE-502). The CVSS 3.1 base score is 9.8 with a fully remote, no-interaction, no-privilege vector (AV:N/AC:L/PR:N/UI:N), placing it among the most severe SharePoint flaws. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but insecure-deserialization RCE in SharePoint has historically been a high-value target for rapid weaponization.

Microsoft Deserialization Microsoft Sharepoint Enterprise Server 2016 Microsoft Sharepoint Server 2019 Microsoft Sharepoint Server Subscription Edition
NVD
CVSS 3.1
9.8
EPSS
1.3%
Threat
5.5
CVE-2026-50522 CRITICAL PATCH NEWS Exploit Likely Act Now

Remote code execution in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) lets an unauthenticated attacker run arbitrary code by sending a crafted serialized payload over the network. The flaw is an untrusted-data deserialization (CWE-502) rated CVSS 9.8 with PR:N/UI:N, meaning no credentials or user interaction are required. No public exploit identified at time of analysis, but the pre-auth network vector and SharePoint's long history as an attacker target make this a high-priority patch.

Microsoft Deserialization Microsoft Sharepoint Enterprise Server 2016 Microsoft Sharepoint Server 2019 Microsoft Sharepoint Server Subscription Edition
NVD
CVSS 3.1
9.8
EPSS
19.7%
EPSS 0% CVSS 5.3
MEDIUM This Month

NVIDIA TensorRT for contains a vulnerability where a user might cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution.

Nvidia RCE Deserialization +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

NVIDIA TensorRT-LLM for any platform contains a vulnerability in visual gen server, where an attacker could cause an unsafe deserialization by unauthorized zeroMQ deserialization. A successful exploit of this vulnerability might lead to code execution.

Nvidia RCE Deserialization +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege-context deserialization in NVIDIA TensorRT-LLM lets an attacker who already has same-user access to a host running the inference stack abuse its inter-process communication layer to trigger unsafe object deserialization (CWE-502), potentially yielding code execution, information disclosure, data tampering, and denial of service. The flaw is vendor-reported by NVIDIA and carries a CVSS 3.1 base of 7.8 (AV:L), meaning it is not remotely reachable but converts existing local access into full compromise of the model-serving process. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Nvidia Denial Of Service Information Disclosure +3
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Insecure deserialization in NVIDIA TensorRT-LLM for Linux lets a local, low-privileged attacker abuse a weakness in the restricted unpickler that handles model-weight loading, potentially achieving code execution, privilege escalation, data tampering, and information disclosure. The flaw (CWE-502, CVSS 8.4) affects the GPU LLM-inference library and stems from the restricted unpickler failing to fully constrain what can be deserialized from an untrusted model artifact. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Information Disclosure Nvidia RCE +2
NVD
EPSS 1% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local code execution in Microsoft .NET 8.0 and 9.0 (and bundled Visual Studio 2022/2026 toolchains) arises from unsafe deserialization of untrusted data (CWE-502), letting an unprivileged local attacker run arbitrary code in the context of the targeted process once a user is lured into opening or processing a malicious serialized payload. The CVSS 3.1 base score is 7.8 with high impact to confidentiality, integrity, and availability, but the vector (AV:L/UI:R) confines it to local attacks that require user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization Net 8 0 Net 9 0 +3
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Exploit Likely Act Now

Remote code execution in Microsoft Dynamics NAV 2018 allows an unauthorized, network-based attacker to run arbitrary code by submitting maliciously crafted serialized data that the application deserializes without validation (CWE-502). With a CVSS 9.8 vector requiring no authentication and no user interaction, successful exploitation grants full compromise of the ERP host. Microsoft has released a patch via MSRC; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Microsoft Deserialization Microsoft Dynamics Nav 2018
NVD
EPSS 2% CVSS 7.8
HIGH PATCH Exploit Likely This Week

Local privilege escalation in the Windows Wireless Wide Area Network Service (WwanSvc) lets an authenticated low-privileged user elevate to SYSTEM by delivering crafted serialized data that the service deserializes unsafely (CWE-502). Reported by Microsoft, it affects a broad range of Windows 10, Windows 11, and Windows Server builds and carries CVSS 7.8 with high confidentiality, integrity, and availability impact. No public exploit is identified at time of analysis and it is not in CISA KEV, but a vendor patch is available.

Microsoft Deserialization Windows 10 Version 1607 +12
NVD
EPSS 1% CVSS 7.5
HIGH PATCH Exploit Unlikely This Week

Denial of service in Microsoft Azure Active Directory (now Entra ID) allows a remote, unauthenticated attacker to disrupt service availability by sending crafted serialized data that triggers unsafe deserialization (CWE-502). The flaw carries a CVSS 7.5 (High) with a fully network-reachable, no-privilege, no-interaction vector, but impact is confined to availability - confidentiality and integrity are not affected. Microsoft has released a fix via MSRC; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Microsoft Deserialization Azure Active Directory
NVD
EPSS 1% 5.5 CVSS 9.8
CRITICAL POC PATCH Exploit Likely Act Now

Remote code execution in Microsoft SharePoint (Enterprise Server 2016, Server 2019, and Server Subscription Edition) allows an unauthenticated network attacker to run arbitrary code on the server by submitting maliciously crafted serialized data (CWE-502). The CVSS 3.1 base score is 9.8 with a fully remote, no-interaction, no-privilege vector (AV:N/AC:L/PR:N/UI:N), placing it among the most severe SharePoint flaws. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but insecure-deserialization RCE in SharePoint has historically been a high-value target for rapid weaponization.

Microsoft Deserialization Microsoft Sharepoint Enterprise Server 2016 +2
NVD
EPSS 20% CVSS 9.8
CRITICAL PATCH Exploit Likely Act Now

Remote code execution in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) lets an unauthenticated attacker run arbitrary code by sending a crafted serialized payload over the network. The flaw is an untrusted-data deserialization (CWE-502) rated CVSS 9.8 with PR:N/UI:N, meaning no credentials or user interaction are required. No public exploit identified at time of analysis, but the pre-auth network vector and SharePoint's long history as an attacker target make this a high-priority patch.

Microsoft Deserialization Microsoft Sharepoint Enterprise Server 2016 +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy