deserialization
deserialization
- CVE-2026-53914 - JetBrains Kotlin unsafe deserialization
- CVE-2026-45051 - OpenAM WebAuthn deserialization RCE
- CVE-2026-12191 - openpilot pickle deserialization
- CVE-2026-48109 - MessagePack LZ4 decompression denial of service
- CVE-2025-55182 - React Server Components RCE
- CVE-2026-45034 - PHPSpreadsheet PHAR wrapper patch bypass
- CVE-2026-40993 - Spring Security JDBC SAML credential deserialization
- CVE-2026-40993 - Spring Security SAML credential BLOB deserialization RCE
- CVE-2026-42211 - React Router Framework Mode deserialization RCE
- CVE-2026-42779 - Apache MINA resolveClass deserialization RCE
- CVE-2025-60455 - Modular Max Serve unsafe deserialization
- CVE-2026-24159 — NVIDIA NeMo deserialization RCE
- CVE-2026-24164 — NVIDIA BioNeMo deserialization RCE
- PHP object deserialization — `unserialize` on untrusted data
- Ruby unsafe deserialization — `Marshal.load` / `YAML.load`
- CVE-2017-18342 — PyYAML default `load` resolves arbitrary tags
- Java ObjectInputStream and friends
- Python pickle / dill on untrusted input
- PyYAML `yaml.load` without a safe Loader