https://appsec.fyi/deser.html Curated Insecure Deserialization resources from appsec.fyi en-us Wed, 22 Apr 2026 18:38:42 +0000 carl@chs.us (Carl Sampson) https://medium.com/@laughterkings95/picoctf-super-serial-writeup-php-object-injection-explained-clearly-83201433389f https://medium.com/@laughterkings95/picoctf-super-serial-writeup-php-object-injection-explained-clearly-83201433389f picoCTF Super Serial Writeup: PHP Object Injection Explained Clearly Insecure Deserialization Wed, 22 Apr 2026 12:53:02 +0000 https://medium.com/@pa2sw0rd/deep-dive-into-fastjson-deserialization-vulnerabilities-from-principles-to-practical-defense-c3be134ec8a6 https://medium.com/@pa2sw0rd/deep-dive-into-fastjson-deserialization-vulnerabilities-from-principles-to-practical-defense-c3be134ec8a6 Deep Dive into Fastjson Deserialization Vulnerabilities Insecure Deserialization Wed, 22 Apr 2026 12:53:02 +0000 https://github.com/yaleman/cve-2025-24813-poc https://github.com/yaleman/cve-2025-24813-poc CVE-2025-24813 PoC: Apache Tomcat Java Deserialization Insecure Deserialization Wed, 22 Apr 2026 12:53:01 +0000 https://research.eye.security/wsus-deserialization-exploit-in-the-wild-cve-2025-59287/ https://research.eye.security/wsus-deserialization-exploit-in-the-wild-cve-2025-59287/ WSUS Deserialization Exploit in the Wild (CVE-2025-59287) Insecure Deserialization Wed, 22 Apr 2026 12:53:00 +0000 https://www.usenix.org/conference/usenixsecurity25/presentation/zhang-yiheng https://www.usenix.org/conference/usenixsecurity25/presentation/zhang-yiheng Precise and Effective Gadget Chain Mining through Deserialization-Guided Call Graph Construction (USENIX Security 2025) Insecure Deserialization Wed, 22 Apr 2026 12:52:59 +0000 https://dl.acm.org/doi/10.1145/3715711 https://dl.acm.org/doi/10.1145/3715711 Gleipner: A Benchmark for Gadget Chain Detection in Java Deserialization Vulnerabilities Insecure Deserialization Wed, 22 Apr 2026 12:52:59 +0000 https://zeropath.com/blog/cve-2025-36072-ibm-webmethods-integration-deserialization-rce https://zeropath.com/blog/cve-2025-36072-ibm-webmethods-integration-deserialization-rce IBM webMethods Integration CVE-2025-36072: Deserialization RCE Insecure Deserialization Sun, 19 Apr 2026 02:37:10 +0000 https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf Deserialization Vulnerability — Exploit-DB Paper Insecure Deserialization Sun, 19 Apr 2026 02:22:26 +0000 https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-ise-multivuls-FTW9AOXF.html https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-ise-multivuls-FTW9AOXF.html Cisco ISE Insecure Java Deserialization — Cisco Docs Insecure Deserialization Sun, 19 Apr 2026 02:22:26 +0000 https://www.acunetix.com/vulnerabilities/web/tag/insecure-deserialization/ https://www.acunetix.com/vulnerabilities/web/tag/insecure-deserialization/ Insecure Deserialization Vulnerabilities — Acunetix Insecure Deserialization Sun, 19 Apr 2026 02:22:25 +0000 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF Cisco ISE Insecure Java Deserialization (CVE-2025-20124) Insecure Deserialization Sun, 19 Apr 2026 02:22:24 +0000 https://spring.io/security/cve-2023-34040/ https://spring.io/security/cve-2023-34040/ CVE-2023-34040: Spring-Kafka Java Deserialization Insecure Deserialization Fri, 17 Apr 2026 14:53:05 +0000 https://medium.com/@virajmota38/apache-struts-vulnerability-leads-to-rce-98840f96fddb https://medium.com/@virajmota38/apache-struts-vulnerability-leads-to-rce-98840f96fddb Apache Struts vulnerability leads to RCE Insecure Deserialization Fri, 17 Apr 2026 14:53:05 +0000 https://github.com/lorenzodegiorgi/jackson-vulnerability https://github.com/lorenzodegiorgi/jackson-vulnerability Jackson deserialization vulnerability exploit (3 gadgets, GitHub) Insecure Deserialization Fri, 17 Apr 2026 14:53:04 +0000 https://www.infopercept.com/blogs/apache-struts2-code-execution-exploit https://www.infopercept.com/blogs/apache-struts2-code-execution-exploit Apache Struts2 Code Execution Exploit (Infopercept) Insecure Deserialization Fri, 17 Apr 2026 14:53:03 +0000 https://support.contrastsecurity.com/hc/en-us/articles/4402400830612-Spring-web-Java-Deserialization-CVE-2016-1000027 https://support.contrastsecurity.com/hc/en-us/articles/4402400830612-Spring-web-Java-Deserialization-CVE-2016-1000027 Spring-web Java Deserialization: CVE-2016-1000027 (Contrast) Insecure Deserialization Fri, 17 Apr 2026 14:53:02 +0000 https://blog.gigamon.com/2017/11/16/exploiting-apache-struts-a-case-study-in-writing-better-detections/ https://blog.gigamon.com/2017/11/16/exploiting-apache-struts-a-case-study-in-writing-better-detections/ Exploiting Apache Struts: Writing Better Detections (Gigamon) Insecure Deserialization Fri, 17 Apr 2026 14:53:02 +0000 https://blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf https://blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf Friday the 13th JSON Attacks (Black Hat) Insecure Deserialization Fri, 17 Apr 2026 14:52:30 +0000 https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Deserialization/DotNET.md https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Deserialization/DotNET.md PayloadsAllTheThings: Insecure Deserialization DotNET Insecure Deserialization Fri, 17 Apr 2026 14:52:29 +0000 https://book.hacktricks.xyz/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net https://book.hacktricks.xyz/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net Basic .Net deserialization ObjectDataProvider gadget (HackTricks) Insecure Deserialization Fri, 17 Apr 2026 14:52:28 +0000 https://github.com/CalfCrusher/Python-Pickle-RCE-Exploit https://github.com/CalfCrusher/Python-Pickle-RCE-Exploit Python-Pickle-RCE-Exploit + vulnerable Flask App (GitHub) Insecure Deserialization Fri, 17 Apr 2026 14:52:28 +0000 https://medium.com/@abhishek.dev.kumar.94/sour-pickle-insecure-deserialization-with-python-pickle-module-efa812c0d565 https://medium.com/@abhishek.dev.kumar.94/sour-pickle-insecure-deserialization-with-python-pickle-module-efa812c0d565 SOUR PICKLE: Insecure Deserialization with Python Pickle Insecure Deserialization Fri, 17 Apr 2026 14:52:27 +0000 https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Deserialization/Python.md https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Deserialization/Python.md PayloadsAllTheThings: Insecure Deserialization Python Insecure Deserialization Fri, 17 Apr 2026 14:52:26 +0000 https://knowledge.dhound.io/security-practices/exploitation/pickle-code-execution https://knowledge.dhound.io/security-practices/exploitation/pickle-code-execution Pickle Code Execution Exploitation (Dhound) Insecure Deserialization Fri, 17 Apr 2026 14:52:25 +0000 https://github.com/miguelgrinberg/python-socketio/security/advisories/GHSA-g8c6-8fjj-2r4m https://github.com/miguelgrinberg/python-socketio/security/advisories/GHSA-g8c6-8fjj-2r4m Python-socketio: Pickle deserialization RCE advisory Insecure Deserialization Fri, 17 Apr 2026 14:52:24 +0000 https://owasp.org/www-chapter-stuttgart/assets/slides/2024-12-10_Exploiting_deserialization_vulnerabilities_in_recent_Java_versions.pdf https://owasp.org/www-chapter-stuttgart/assets/slides/2024-12-10_Exploiting_deserialization_vulnerabilities_in_recent_Java_versions.pdf Exploiting deserialization in recent Java versions (OWASP Stuttgart) Insecure Deserialization Fri, 17 Apr 2026 14:52:24 +0000 https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains-wp.pdf https://i.blackhat.com/us-18/Thu-August-9/us-18-Haken-Automated-Discovery-of-Deserialization-Gadget-Chains-wp.pdf Automated Discovery of Deserialization Gadget Chains (Black Hat) Insecure Deserialization Fri, 17 Apr 2026 14:52:23 +0000 https://docs.veracode.com/r/insecure-deserialization https://docs.veracode.com/r/insecure-deserialization Prevent insecure deserialization attacks (Veracode) Insecure Deserialization Fri, 17 Apr 2026 14:52:22 +0000 https://snynr.medium.com/understanding-insecure-deserialization-risks-and-mitigations-e726dcf624e7 https://snynr.medium.com/understanding-insecure-deserialization-risks-and-mitigations-e726dcf624e7 Understanding Insecure Deserialization: Risks and Mitigations Insecure Deserialization Fri, 17 Apr 2026 14:52:21 +0000 https://medium.com/@NiaziSec/bug-bounty-hunting-web-vulnerability-insecure-deserialization-6df3491dc33c https://medium.com/@NiaziSec/bug-bounty-hunting-web-vulnerability-insecure-deserialization-6df3491dc33c Bug Bounty Hunting: Insecure Deserialization Insecure Deserialization Fri, 17 Apr 2026 14:52:20 +0000 https://vuln.today/techniques/deserialization https://vuln.today/techniques/deserialization Insecure Deserialization - Attack Technique (vuln.today) Insecure Deserialization Fri, 17 Apr 2026 14:52:20 +0000 https://brandur.org/fragments/gadgets-and-chains https://brandur.org/fragments/gadgets-and-chains Depickling, Gadgets, and Chains: The Exploit That Unraveled Equifax Insecure Deserialization Thu, 16 Apr 2026 21:03:34 +0000 https://pentest-tools.com/blog/exploit-phar-deserialization-vulnerability https://pentest-tools.com/blog/exploit-phar-deserialization-vulnerability How to Exploit PHAR Deserialization Vulnerability Insecure Deserialization Thu, 16 Apr 2026 21:03:33 +0000 https://www.sprocketsecurity.com/blog/a-primer-on-insecure-reflection-practices-in-java-and-c-applications https://www.sprocketsecurity.com/blog/a-primer-on-insecure-reflection-practices-in-java-and-c-applications Insecure Reflection Practices in Java and C# Insecure Deserialization Thu, 16 Apr 2026 21:03:32 +0000 https://www.synacktiv.com/en/publications/java-deserialization-tricks https://www.synacktiv.com/en/publications/java-deserialization-tricks Java Deserialization Tricks - Synacktiv Insecure Deserialization Thu, 16 Apr 2026 21:03:31 +0000 https://swapneildash.medium.com/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817 https://swapneildash.medium.com/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817 Deep Dive into .NET ViewState Deserialization Insecure Deserialization Thu, 16 Apr 2026 21:03:30 +0000 https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability ViewState Deserialization Zero-Day in Sitecore (CVE-2025-53690) Insecure Deserialization Thu, 16 Apr 2026 21:03:30 +0000 https://arxiv.org/html/2508.19774v1 https://arxiv.org/html/2508.19774v1 The Art of Hide and Seek: Pickle-Based Model Supply Chain Poisoning Insecure Deserialization Thu, 16 Apr 2026 21:03:29 +0000 https://promon.io/mobile-attack-vector-library/insecure-deserialization https://promon.io/mobile-attack-vector-library/insecure-deserialization Insecure Deserialization: Risks, Examples, and Best Practices Insecure Deserialization Fri, 10 Apr 2026 01:35:12 +0000 https://pentesterlab.com/glossary/deserialization-gadget-chain https://pentesterlab.com/glossary/deserialization-gadget-chain Deserialization Gadget Chain Definition Insecure Deserialization Fri, 10 Apr 2026 01:35:11 +0000 https://securityboulevard.com/2026/03/cve-2026-20963-sharepoint-deserialization-remote-code-execution-vulnerability/ https://securityboulevard.com/2026/03/cve-2026-20963-sharepoint-deserialization-remote-code-execution-vulnerability/ CVE-2026-20963: SharePoint Deserialization RCE Analysis Insecure Deserialization Fri, 10 Apr 2026 01:35:10 +0000 https://blog.checkpoint.com/research/sharepoint-zero-day-cve-2025-53770-actively-exploited-what-security-teams-need-to-know/ https://blog.checkpoint.com/research/sharepoint-zero-day-cve-2025-53770-actively-exploited-what-security-teams-need-to-know/ SharePoint Zero-Day CVE-2025-53770 Actively Exploited Insecure Deserialization Fri, 10 Apr 2026 01:35:09 +0000 https://cybersecuritynews.com/solarwinds-web-help-desk-deserialization-vulnerability/ https://cybersecuritynews.com/solarwinds-web-help-desk-deserialization-vulnerability/ SolarWinds Web Help Desk Deserialization Vulnerability Insecure Deserialization Fri, 10 Apr 2026 01:35:08 +0000 https://www.greynoise.io/blog/cve-2022-1471-snakeyaml-deserialization-deep-dive https://www.greynoise.io/blog/cve-2022-1471-snakeyaml-deserialization-deep-dive SnakeYAML Deserialization Deep Dive (CVE-2022-1471) Insecure Deserialization Fri, 10 Apr 2026 01:35:07 +0000 https://www.oligo.security/blog/docling-rce-a-shadow-vulnerability-introduced-via-pyyaml-cve-2026-24009 https://www.oligo.security/blog/docling-rce-a-shadow-vulnerability-introduced-via-pyyaml-cve-2026-24009 Docling RCE via PyYAML (CVE-2026-24009) Insecure Deserialization Fri, 10 Apr 2026 01:35:06 +0000 https://jfrog.com/blog/unveiling-3-zero-day-vulnerabilities-in-picklescan/ https://jfrog.com/blog/unveiling-3-zero-day-vulnerabilities-in-picklescan/ PyTorch Users at Risk: 3 Zero-Day PickleScan Vulnerabilities Insecure Deserialization Fri, 10 Apr 2026 01:35:05 +0000 https://arxiv.org/abs/2508.15987 https://arxiv.org/abs/2508.15987 PickleBall: Secure Deserialization of Pickle-based ML Models Insecure Deserialization Fri, 10 Apr 2026 01:35:04 +0000 https://advisories.gitlab.com/pkg/maven/com.datadoghq/dd-java-agent/CVE-2026-33728/ https://advisories.gitlab.com/pkg/maven/com.datadoghq/dd-java-agent/CVE-2026-33728/ CVE-2026-33728: dd-trace-java Unsafe Deserialization in RMI Insecure Deserialization Fri, 10 Apr 2026 01:35:03 +0000 https://advisories.gitlab.com/pkg/maven/org.openidentityplatform.openam/openam/CVE-2026-33439/ https://advisories.gitlab.com/pkg/maven/org.openidentityplatform.openam/openam/CVE-2026-33439/ CVE-2026-33439: OpenAM Pre-Auth RCE via Deserialization Insecure Deserialization Fri, 10 Apr 2026 01:35:02 +0000 https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Deserialization/Ruby.md https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Insecure%20Deserialization/Ruby.md PayloadsAllTheThings - Ruby Deserialization Payloads Insecure Deserialization Fri, 10 Apr 2026 01:35:01 +0000