Unsafe deserialization vulnerabilities
Unsafe deserialization occurs when untrusted data is deserialized into live objects — in Java, .NET, PHP or Python — letting attackers instantiate gadget chains that end in code execution. Almost every advisory in this class is effectively an RCE, which its exploitation rate reflects.
Classification is assigned by the CSIRTS enrichment pipeline from the advisory text. The list below shows the latest advisories tagged unsafe deserialization, newest first, across national CERTs, vendor PSIRTs and vulnerability databases — exploited marks CVEs in the CISA KEV catalog.