CVE-2026-31072

Name of the Vulnerable Software and Affected Versions APScheduler (affected versions not specified)

Description The JSONSerializer and CBORSerializer are subject to Remote Code Execution (RCE) through insecure deserialization. The unmarshal object() function enables arbitrary class instantiation and state injection by dynamically importing modules and calling setstate on any class present in the Python environment. This can be triggered by submitting a specially crafted JSON or CBOR payload to an application utilizing these serializers.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.