Vulnerability Details CVE-2026-48207
Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes.
This issue affects Apache Fory: from before 1.0.0.
Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 33.8%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2026-48207
-
cpe:2.3:a:apache:fory:0.13.0
-
cpe:2.3:a:apache:fory:0.13.1
-
cpe:2.3:a:apache:fory:0.13.2
-
cpe:2.3:a:apache:fory:0.14.0
-
cpe:2.3:a:apache:fory:0.14.1
-
cpe:2.3:a:apache:fory:0.15.0
-
cpe:2.3:a:apache:fory:0.16.0
-
cpe:2.3:a:apache:fory:0.17.0