A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).