CVE-2026-48207

Name of the Vulnerable Software and Affected Versions Apache Fory versions prior to 1.0.0

Description Deserialization of untrusted data in Apache Fory PyFory occurs because the ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is affected if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes.

Recommendations Upgrade to version 1.0.0 or later.