CWE-502


Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

We have discovered 472,216 live websites that are affected by CWE-502.

Contact us to get more info







CVEs

  • Count - 188



Website Distribution by Country

Number of websites using CWE-502
United States154,265 websites


Germany42,292 websites
GB22,943 websites
France21,879 websites
Italy17,924 websites
Vietnam15,905 websites
Netherlands14,165 websites
Canada12,255 websites
Spain10,427 websites
Russia10,310 websites

Website Distribution by TLD

Number of websites using CWE-502
.com201,088 websites
.de24,825 websites
.org22,828 websites
.co.uk15,216 websites
.it12,772 websites
.nl12,751 websites
.net12,309 websites
.fr9,697 websites
.com.au8,976 websites
.com.br8,897 websites

Newest CVEs

List of the most recent CVEs that are part of CWE-502
DiscoveredCVEDescriptionWebsites
Apr, 2026CVE-2026-35537 An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the...15,595
Apr, 2026CVE-2026-29782 OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth28
Mar, 2026CVE-2026-3328 Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts1,406
Mar, 2026CVE-2026-25445 WordPress WishList Member X plugin <= 3.29.0 - PHP Object Injection vulnerability396
Mar, 2026CVE-2026-26114 Microsoft SharePoint Server Remote Code Execution Vulnerability3,346
Mar, 2026CVE-2026-2020 JS Archive List <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection via 'included' Shortcode Attribute740
Mar, 2026CVE-2026-3452 Concrete CMS below 9.4.8 is vulnerable to stored deserialization leading to RCE in the Express Entry List block.11,688
Mar, 2026CVE-2026-27971 Qwik affected by unauthenticated RCE via server$ Deserialization12,899
Mar, 2026CVE-2025-50198 Chamilo: Deserialization of untrusted data in /plugin/vchamilo/views/import.php via POST configuration_file; POST course_path; POST home_path parameters8
Mar, 2026CVE-2025-52998 Chamilo: PHAR deserialization bypass8

The most widespread CVEs

List of the most common CVEs that are part of CWE-502
DiscoveredCVEDescriptionWebsites
Dec, 2023CVE-2023-28782 WordPress Gravity Forms Plugin <= 2.7.3 is vulnerable to PHP Object Injection75,656
Dec, 2023CVE-2023-40555 WordPress Flatsome Theme <= 3.17.5 is vulnerable to PHP Object Injection55,978
Aug, 2024CVE-2024-2694 Betheme <= 27.5.6 - Authenticated (Contributor+) PHP Object Injection51,621
Sep, 2025CVE-2025-9083 Ninja-forms < 3.11.1 - Unauthenticated PHP Objection51,401
Oct, 2023CVE-2023-3154 NextGEN Gallery < 3.39 - Admin+ PHAR Deserialization29,815
Jul, 2025CVE-2025-6464 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion18,179
Apr, 2024CVE-2024-32600 WordPress Master Slider plugin <= 3.9.5 - PHP Object Injection vulnerability15,889
Apr, 2026CVE-2026-35537 An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the...15,595
Sep, 2025CVE-2025-9260 Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 5.1.16 - 6.1.1 - Authenticated (Subscriber+) PHP Object Injection To Arbitrary File Read13,964
Mar, 2026CVE-2026-27971 Qwik affected by unauthenticated RCE via server$ Deserialization12,899

Websites affected by CWE-502

Top websites that are affected by CWE-502. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
********.****.com United States***
*******.com United States*,***
***************.eu Netherlands*,***
****.******.jp Japan*,***
***.int Switzerland*,***
*.******.net United States*,***
**********.dk Denmark*,***
***.****.******.jp Japan*,***
******.gov United States*,***
*********.nl United States*,***
See full domain list