Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-31072: APScheduler JSON and CBOR Deserialization RCE
CVE-2026-31072
Summary
APScheduler's JSON and CBOR deserialization features allow attackers to execute malicious code remotely. This can happen if an attacker submits a specially crafted payload to an application using these features. To fix this, update APScheduler to the latest version, which includes security patches.
Original title
The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object fun...
Original description
The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers
Vulnerability type
CWE-502
Deserialization of Untrusted Data
Published: 19 May 2026 · Updated: 28 May 2026 · First seen: 19 May 2026