Critical
Insecure Deserialization
Executing arbitrary code by manipulating serialized objects.
Insecure deserialization occurs when untrusted data is deserialized without validation. Attackers craft malicious serialized objects (PHP, Java, Python pickle) that execute code during deserialization. Can lead to RCE. Use simple data formats like JSON instead.