Critical severity9.1NVD Advisory· Published Jun 4, 2026· Updated Jun 8, 2026
CVE-2026-50076
CVE-2026-50076
Description
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data.
Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- www.openwall.com/lists/oss-security/2026/06/04/4nvdMailing ListThird Party Advisory
- fory.apache.org/securitynvdVendor Advisory
News mentions
0No linked articles in our index yet.