PT-2026-46269 · Unknown · Fory Fory-Core Java Sdk
R3Dw0Lfsec
+1
·
Published
2026-06-04
·
Updated
2026-06-04
·
CVE-2026-50076
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Fory fory-core Java SDK versions prior to 1.1.0
Description
Deserialization of untrusted data in the Java replace-resolve path allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks. This enables the invocation of classpath-present
readResolve() or readExternal() hooks through the use of crafted Fory serialized data.Recommendations
Upgrade to version 1.1.0 or later.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Fory Fory-Core Java Sdk