CVE-2020-5741
Deserialization of Untrusted Data — is CVE-2020-5741real, exploitable, or a false positive? Here's the community ground truth.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.
NVD only has a brief summary for this one — the community fills in the real-world detail below.
References
Published
Embed this verdict
[](https://www.truepositive.app/cve/CVE-2020-5741)<a href="https://www.truepositive.app/cve/CVE-2020-5741"><img src="https://www.truepositive.app/cve/CVE-2020-5741/badge.svg" alt="TruePositive verdict for CVE-2020-5741"></a>Live badge — updates automatically as the community verdict changes.
Community ground truth
Community verdict
2 verdictsIncludes TruePositive's curated baseline from public sources — community verdicts accrue on top.
Pick your verdict — we'll save it right after a quick sign-in.
In line with its CVSS base score.
Field notes & remediation
Verdicts are the quick signal — notes are the evidence and fixes behind them.
- 0
Plex Media Server Remote Code Execution Vulnerability — Plex Media Server contains a remote code execution vulnerability that allows an attacker with access to the server administrator's Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it. Listed in the CISA KEV catalog (added 2023-03-10) — confirmed exploited in the wild, not theoretical. FIRST EPSS puts the chance of exploitation in the next 30 days at ~73%. Treat it as real and prioritize remediation over triage.
- 0
Required action for Plex Media Server: Apply updates per vendor instructions. CISA set a federal remediation due date of 2023-03-31. After patching, verify the vulnerable path is no longer reachable before closing the finding.
Related CVEs
Same weakness — CWE-502 · Deserialization of Untrusted Data.
- CVE-2021-35464CVSS 9.8KEVEPSS 100%
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier
- CVE-2023-0669CVSS 7.2KEVEPSS 100%
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
- CVE-2023-29300CVSS 9.8KEVEPSS 100%
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
- CVE-2025-53770CVSS 9.8KEVEPSS 100%
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
- CVE-2022-47986CVSS 9.8KEVEPSS 100%
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.
- CVE-2022-41082CVSS 8KEVEPSS 100%
Microsoft Exchange Server Remote Code Execution Vulnerability