CVE-2026-3967

Name of the Vulnerable Software and Affected Versions Alfresco Activiti versions prior to 7.19/8.8.0

Description An issue exists in Alfresco Activiti related to the Process Variable Serialization System component. Specifically, the deserialize/createObjectInputStream function within the SerializableType.java file (located at activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java) is susceptible to deserialization manipulation. Remote exploitation is possible. The exploit for this issue has been published. The vendor was contacted regarding this disclosure but did not respond.

Recommendations Update Alfresco Activiti to a version prior to 7.19/8.8.0.