CVE-2026-47065

Name of the Vulnerable Software and Affected Versions Java (affected versions not specified)

Description Two issues exist regarding Java deserialization filters. First, a filter bypass occurs when a serialized stream contains a TC PROXYCLASSDESC marker for a java.lang.reflect.Proxy. In this case, ObjectInputStream.readProxyDesc() is dispatched, and the default ObjectInputStream.resolveProxyClass(interfaces) implementation is called. This process performs Class.forName(intf, false, latestUserDefinedLoader()) for each interface name to construct the proxy class, which bypasses the accepted classes list. Second, deserializing a stream that names any class on the allow-list triggers that class's static initializer (<clinit>) before any instance is constructed. This allows an attacker to trigger side-effecting static initializers by supplying a class name that matches the allow-list patterns.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.