Quickfire Cyber Bulletin June 5, 2026
← Back

CVE-2026-48207

Low

Description

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

Scores & Signals

CVSS 3.1 9.8 — CRITICAL
EPSS score 0.0004 (12.6th percentile)
CISA KEV No
Published 2026-05-21

Sources

External references

Risk scores are deterministic, based on public signals only. They are informational context, not a final verdict. Always consult vendor advisories before taking action.