VYPR
Critical severity9.8NVD Advisory· Published May 21, 2026· Updated May 22, 2026

CVE-2026-48207

CVE-2026-48207

Description

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes.

This issue affects Apache Fory: from before 1.0.0.

Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Apache/Fory2 versions
    cpe:2.3:a:apache:fory:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:apache:fory:*:*:*:*:*:*:*:*range: >=0.13.0,<1.0.0
    • (no CPE)range: <1.0.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.