CVE-2026-25632

Name of the Vulnerable Software and Affected Versions EPyT-Flow versions prior to 0.16.1

Description EPyT-Flow is a Python package used for generating hydraulic and water quality scenario data for water distribution networks. The REST API parses attacker-controlled JSON request bodies using a custom deserializer, my load from json, which supports a type field. When this field is present, the deserializer dynamically imports and instantiates a module/class specified by the attacker, with arguments also supplied by the attacker. This allows the invocation of dangerous classes like subprocess.Popen, potentially leading to operating system command execution during JSON parsing. This issue also affects the loading of JSON files. The type field is used in the deserialization process.

Recommendations Versions prior to 0.16.1 should be updated to version 0.16.1. Do not load JSON data from untrusted sources. Do not expose the REST API.