By weakness (CWE)

CWE-502: related vulnerabilities

CVEs classified under CWE-502. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

13 published vulnerabilities

  • CVE-2025-11993HIGH 8.8

    The WooCommerce Infinite Scroll and Ajax Pagination plugin contains a security flaw that allows authenticated WordPress users (including low-privilege subscribers) to inject malicious PHP objects through the plugin's import settings feature. While the plugin itself doesn't provide a direct attack path, if other plugins or themes on the same WordPress installation have known gadget chains, an attacker could exploit this vulnerability to delete files, steal data, or run arbitrary code. The vulnerability affects all versions up to and including 1.8.

  • CVE-2026-42359HIGH 8.8

    Apache Airflow contains a bypass of an earlier security fix that allows authenticated users with restricted permissions to inject malicious code into deferred tasks. An attacker with legitimate write access to task metadata can craft a specially formatted request to set hidden configuration values that trigger remote code execution when the task resumes. This affects organizations where any untrusted team members have editing permissions on Airflow workflows.

  • CVE-2026-39550HIGH 8.1

    Aperitif, a WordPress theme by Elated-Themes, contains a deserialization flaw that allows attackers to inject malicious objects into the application. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary code or compromise the integrity and confidentiality of affected websites. The vulnerability exists in versions 1.6 and earlier.

  • CVE-2026-39551HIGH 8.1

    A critical flaw in Elated-Themes' Töbel plugin allows attackers to inject malicious objects through unsafe deserialization. An unauthenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution, data theft, or system compromise. The attack requires some specific conditions to be met, but once exploited, grants full control over affected systems.

  • CVE-2026-39555HIGH 8.1

    A critical flaw has been discovered in Elated-Themes' Askka plugin (versions up to and including 1.3.1) that allows attackers to inject malicious objects through deserialization of untrusted data. When the plugin processes serialized data from an untrusted source without proper validation, an attacker can craft a specially designed payload that, when deserialized by the vulnerable code, instantiates arbitrary PHP objects. This object injection can lead to remote code execution, data theft, or system compromise depending on available gadget chains within the application environment.

  • CVE-2026-42211HIGH 8.1

    React Router versions 7.0.0 through 7.14.1 contain a high-severity vulnerability that could enable remote code execution when using Framework Mode. The attack is two-stage: it requires an application to already contain a prototype pollution flaw, which an attacker can then exploit to trigger unauthorized code execution on the server. Applications using the library's Declarative Mode or Data Mode routing are unaffected. The vulnerability was patched in version 7.14.2.

  • CVE-2026-24221HIGH 7.8

    NVIDIA's NVTabular library contains a deserialization vulnerability that could allow an authenticated attacker to execute arbitrary code, modify data, or steal sensitive information. The vulnerability is rated HIGH severity and requires local system access and valid user credentials to exploit. While not currently listed as actively exploited, this flaw merits prompt attention given the potential for code execution on systems processing sensitive machine learning datasets.

  • CVE-2026-24237HIGH 7.8

    NVIDIA NVTabular is vulnerable to unsafe deserialization of untrusted data. An attacker with local access and basic user privileges could exploit this flaw to execute arbitrary code, modify data, or steal sensitive information from systems running the affected software.

  • CVE-2026-25551HIGH 7.8

    Seagull Software BarTender versions 2021 R1 through 12.0.1 contain a flaw that allows local users with standard privileges to gain system-level access. The vulnerability stems from how BarTender's system service handles incoming network requests—it trusts serialized data without proper validation, allowing an attacker to craft malicious requests that execute code with the highest Windows privileges. Because the vulnerable service only listens on the local machine, an attacker must already have a local user account to exploit it, but once inside, they can escalate to full system control.

  • CVE-2026-38950HIGH 7.8

    ESA AnomalyMatch versions before 1.3.1 contain a critical flaw that allows attackers with local system access to run malicious code by uploading specially crafted model checkpoint files. The vulnerability stems from the application's use of unsafe deserialization when loading PyTorch model files, which can execute arbitrary Python code during the loading process. An attacker who can place a malicious model file in the session directories—or trick a user into loading one—gains the ability to execute commands with the privileges of the AnomalyMatch process.

  • CVE-2026-37579HIGH 7.3

    SMSGate sms-core versions 2.1.13.6 and earlier contain a remote code execution vulnerability in the CMPP7 message handling component. An unauthenticated attacker on the network can exploit this flaw to execute arbitrary code on affected systems without any user interaction, potentially gaining full control of the SMS gateway infrastructure.

  • CVE-2026-34993MEDIUM 6.4

    AIOHTTP, a popular Python library for building asynchronous web applications, contains a vulnerability in its cookie handling mechanism. When the `CookieJar.load()` function processes untrusted cookie files, attackers can craft malicious files that execute arbitrary code on the affected system. However, the vulnerability requires specific conditions: an application must explicitly load cookies from attacker-controlled files, which is uncommon in typical deployments where cookie data comes from trusted sources or user profiles.

  • CVE-2026-10566MEDIUM 5.3

    A vulnerability exists in FoundationAgents MetaGPT versions up to 0.8.2 that allows local attackers with user-level privileges to trigger unsafe deserialization through manipulation of function arguments in the Message.check_instruct_content handler. An attacker with local access and basic user permissions can exploit this to potentially read, modify, or disrupt system operations. Public exploit code is available, increasing near-term risk for organizations running affected versions.