Critical severity9.8NVD Advisory· Published May 19, 2026· Updated May 20, 2026
CVE-2026-31072
CVE-2026-31072
Description
The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
apschedulerPyPI | >= 4.0.0a1, <= 4.0.0a6 | — |
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 3.10.x, 4.0.0a5
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.