CWE-1066: Missing Serialization Control Element
The product contains a serializable data element that does not have an associated serialization method.
Last updated
Overview
CWE-1066 (Missing Serialization Control Element) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
As examples, the serializable nature of a data element comes from a serializable SerializableAttribute attribute in .NET and the inheritance from the java.io.Serializable interface in Java.
Real-world CVEs
1 recorded CVEs are caused by CWE-1066 (Missing Serialization Control Element). The highest-severity and most recent are shown first. 1 new CWE-1066 CVE has been recorded so far in 2026.
Common consequences
What can happen when CWE-1066 is exploited.
Reduce Reliability
Affects: Other
This issue can prevent the product from running reliably, e.g. by triggering an exception. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Terminology & mappings
Mapped taxonomies
- OMG ASCRM (ASCRM-RLB-2)
Frequently asked questions
Common questions about CWE-1066.
- What is CWE-1066?
- The product contains a serializable data element that does not have an associated serialization method.
- What CVEs are caused by CWE-1066?
- 1 recorded CVEs are attributed to CWE-1066, including CVE-2026-4372.
- What are the consequences of CWE-1066?
- Exploiting CWE-1066 can lead to: Reduce Reliability.
- Is CWE-1066 actively exploited?
- 1 recorded CVEs are caused by CWE-1066; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1066) (opens in a new tab)
- CWE-1066 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1066
Get alerted the moment a new CWE-1066 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.