Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-48207: Apache Fory: Untrusted Data Can Be Used to Attack the System
CVE-2026-48207
Summary
Apache Fory is a tool that can deserialize data, which is the process of taking data and converting it back into its original form. If an attacker can control the data being deserialized, they may be able to use it to attack the system. To fix this issue, users of Apache Fory should upgrade to the latest version, which includes a security patch to prevent this type of attack.
Original title
Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name res...
Original description
Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes.
This issue affects Apache Fory: from before 1.0.0.
Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.
This issue affects Apache Fory: from before 1.0.0.
Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.
Vulnerability type
CWE-502
Deserialization of Untrusted Data
Published: 21 May 2026 · Updated: 30 May 2026 · First seen: 21 May 2026