ByteOS Network

NVD Vulnerability Details :

CVE-2026-48207

Awaiting Analysis

Source-security@apache.org

Published At-21 May, 2026 | 17:16

Updated At-21 May, 2026 | 19:16

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CWE ID	Type	Source
CWE-502	Secondary	security@apache.org

CWE ID: CWE-502

Type: Secondary

Source: security@apache.org

References

Hyperlink	Source	Resource
https://fory.apache.org/security/#cve-2026-48207-pyfory-reduceserializer-deserializationpolicy-bypass	security@apache.org	N/A
http://www.openwall.com/lists/oss-security/2026/05/21/10	af854a3a-2127-422b-91ae-364da2661108	N/A

Hyperlink: https://fory.apache.org/security/#cve-2026-48207-pyfory-reduceserializer-deserializationpolicy-bypass

Source: security@apache.org

Resource: N/A

Hyperlink: http://www.openwall.com/lists/oss-security/2026/05/21/10

Source: af854a3a-2127-422b-91ae-364da2661108

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History