CVE-2026-50076

⛔ critical

Summary

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data. Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.

CVSS Score

9.1

Critical

EPSS Score

0.2

Exploit Probability

Published Date

2026-06-04

First Seen: 2026-06-05

📊 Relative Risk Intelligence

This CVE is High Risk - more severe than 87.7% of all 328,009 vulnerabilities in our database.

#40,306

Top 25% most severe

Severity Percentile

🎯 CISA SSVC Assessment Updated: Jun 4, 2026

🔍 Exploitation Status

None

No known exploits

⚙️ Automatable

YES

Can be exploited automatically

💥 Technical Impact

Total

Complete system compromise possible

🏆 Discovered By

Venkatraman Kumar (r3dw0lfsec), Securin (reporter)

SSVC data provided by CISA

Last Modified 2026-06-08

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE IDs (Weakness Types)

CWE-502

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-48207	⛔ critical	9.8	0.1	Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented Deserializati...	2026-05-21
CVE-2025-61622	⛔ critical	9.8	0.3	Deserialization of untrusted data in python in pyfory versions 0.12.0 through 0.12.2, or the legacy pyfury versions ...	2025-10-01
CVE-2025-59328	🔶 medium	6.5	1.8	A vulnerability in Apache Fory allows a remote attacker to cause a Denial of Service (DoS). The issue stems from the ins...	2025-09-15

CVE-2026-50076

Summary

📊 Relative Risk Intelligence

🎯 CISA SSVC Assessment Updated: Jun 4, 2026

📦 Affected Products 1

🔗 References 2

🔗 Related CVEs 3