CVE-2021-26857
Deserialization of Untrusted Data — is CVE-2021-26857real, exploitable, or a false positive? Here's the community ground truth.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Microsoft Exchange Server Remote Code Execution Vulnerability
NVD only has a brief summary for this one — the community fills in the real-world detail below.
References
Published
Embed this verdict
[](https://www.truepositive.app/cve/CVE-2021-26857)<a href="https://www.truepositive.app/cve/CVE-2021-26857"><img src="https://www.truepositive.app/cve/CVE-2021-26857/badge.svg" alt="TruePositive verdict for CVE-2021-26857"></a>Live badge — updates automatically as the community verdict changes.
Community ground truth
Community verdict
2 verdictsto add your verdict.
Practitioners rate this higher than its CVSS — treat with extra caution.
Field notes & remediation
Verdicts are the quick signal — notes are the evidence and fixes behind them.
No notes yet — be the first to share what you saw or a fix that worked.
Related CVEs
Same weakness — CWE-502 · Deserialization of Untrusted Data.
- CVE-2021-35464CVSS 9.8KEVEPSS 100%
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier
- CVE-2023-0669CVSS 7.2KEVEPSS 100%
Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre-authentication command injection vulnerability in the License Response Servlet due to deserializing an arbitrary attacker-controlled object. This issue was patched in version 7.1.2.
- CVE-2023-29300CVSS 9.8KEVEPSS 100%
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
- CVE-2025-53770CVSS 9.8KEVEPSS 100%
Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
- CVE-2022-47986CVSS 9.8KEVEPSS 100%
IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier could allow a remote attacker to execute arbitrary code on the system, caused by a YAML deserialization flaw. By sending a specially crafted obsolete API call, an attacker could exploit this vulnerability to execute arbitrary code on the system. The obsolete API call was removed in Faspex 4.4.2 PL2. IBM X-Force ID: 243512.
- CVE-2022-41082CVSS 8KEVEPSS 100%
Microsoft Exchange Server Remote Code Execution Vulnerability