Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium

Insecure Deserialization

This page lists 50 vulnerabilities in this category.

Critical: 8 High: 38 Medium: 4
Vulnerability Name
CVE
CWE
Severity
Sitecore XM/XP Insecure Deserialization (CVE-2025-27218)
CVE-2025-27218
CWE-502
Critical
ColdFusion WDDX Deserialization RCE (CVE-2023-44353)
CVE-2023-44353
CWE-502
Critical
SolarWinds Web Help Desk RCE (CVE-2024-28986)
CVE-2024-28986
CWE-502
Critical
IBM Aspera Faspex RCE (CVE-2022-47986)
CVE-2022-47986
CWE-502
Critical
ColdFusion WDDX Deserialization RCE (CVE-2023-29300/CVE-2023-38203/CVE-2023-38204)
CVE-2023-38204
CWE-502
Critical
WS_FTP AHT Deserialization RCE (CVE-2023-40044)
CVE-2023-40044
CWE-502
Critical
ActiveMQ OpenWire RCE (CVE-2023-46604)
CVE-2023-46604
CWE-502
Critical
Apache Log4j socket receiver deserialization vulnerability
CVE-2017-5645
CWE-502
Critical
Sitecore XP Deserialization RCE (CVE-2021-42237)
CVE-2021-42237
CWE-502
High
Oracle Business Intelligence AMF Deserialization RCE CVE-2020-2950
CVE-2020-2950
CWE-502
High
Oracle E-Business Suite Deserialization RCE
-
CWE-502
High
Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496/CVE-2023-49070)
CVE-2023-49070
CWE-502
High
Ruby on Rails DoubleTap RCE (CVE-2019-5420)
CVE-2019-5420
CWE-502
High
Telerik Web UI RadAsyncUpload Deserialization
CVE-2019-18935
CWE-78
High
Apache OFBiz SOAPService Deserialization RCE
CVE-2021-26295
CWE-502
High
.NET JSON.NET Deserialization RCE
-
CWE-502
High
Deserialization of Untrusted Data (XStream)
CVE-2020-26217
CWE-502
High
ForgeRock AM / OpenAM Deserialization RCE (CVE-2021-35464)
CVE-2021-35464
CWE-502
High
AjaxPro.NET Professional Deserialization RCE (CVE-2021-23758)
CVE-2021-23758
CWE-502
High
.NET HTTP Remoting publicly exposed
-
CWE-502
High
node-serialize Insecure Deserialization
CVE-2017-5941
CWE-502
High
Oracle ADF Faces 'Miracle' RCE (CVE-2022-21445)
CVE-2022-21445
CWE-502
High
Oracle Access Manager 'opensso' Deserialization RCE (CVE-2021-35587)
CVE-2021-35587
CWE-502
High
ColdFusion CFC Deserialization RCE (CVE-2023-26359/CVE-2023-26360)
CVE-2023-26360
CWE-502
High
Kentico CMS Deserialization RCE
CVE-2019-10068
CWE-502
High
CakePHP 1.3.5 / 1.2.8 unserialize() vulnerability
CVE-2010-4335
CWE-20
High
Invision Power Board version 3.3.4 unserialize PHP code execution
CVE-2012-5692
CWE-20
High
Deserialization of Untrusted Data (Java JSON Deserialization) JsonIO
-
CWE-502
High
vBulletin PHP object injection vulnerability
-
CWE-915
High
Apache Shiro Deserialization RCE
CVE-2016-4437
CWE-78
High
Flex BlazeDS AMF Deserialization RCE
CVE-2017-5641
CWE-502
High
ColdFusion AMF Deserialization RCE
CVE-2017-3066
CWE-502
High
Deserialization of Untrusted Data (Java JSON Deserialization) Fastjson
-
CWE-502
High
Deserialization of Untrusted Data (Java JSON Deserialization) Genson
-
CWE-502
High
DNN (DotNetNuke) CMS Cookie Deserialization RCE CVE-2017-9822
CVE-2017-9822
CWE-502
High
Deserialization of Untrusted Data (Java JSON Deserialization) Jackson
CVE-2017-7525
CWE-502
High
Deserialization of Untrusted Data (Java Object Deserialization)
-
CWE-502
High
Liferay TunnelServlet Deserialization Remote Code Execution
-
CWE-502
High
Python pickle serialization
-
CWE-502
High
IBM WebSphere RCE Java Deserialization Vulnerability
CVE-2015-7450
CWE-502
High
Oracle Weblogic WLS-WSAT Component Deserialization RCE
CVE-2017-10271
CWE-94
High
ColdFusion FlashGateway Deserialization RCE CVE-2019-7091
CVE-2019-7091
CWE-502
High
SAP Hybris Deserialization RCE
CVE-2019-0344
CWE-502
High
Oracle Weblogic Async Component Deserialization RCE CVE-2019-2725
CVE-2019-2725
CWE-94
High
Apache Solr Deserialization of untrusted data via jmx.serviceUrl
CVE-2019-0192
-
High
Deserialization of Untrusted Data (.NET BinaryFormatter Object Deserialization)
-
CWE-502
High
PHP unserialize() used on user input
-
CWE-20
Medium
Python object deserialization of user-supplied data
-
CWE-20
Medium
PHP object deserialization of user-supplied data
-
CWE-20
Medium
Java object deserialization of user-supplied data
-
CWE-20
Medium