Vulnerability Details CVE-2026-50076
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data.
Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 20.8%
CVSS Severity
CVSS v3 Score 9.1
Products affected by CVE-2026-50076
-
cpe:2.3:a:apache:fory:0.1.0
-
cpe:2.3:a:apache:fory:0.1.1
-
cpe:2.3:a:apache:fory:0.1.2
-
cpe:2.3:a:apache:fory:0.10.0
-
cpe:2.3:a:apache:fory:0.10.1
-
cpe:2.3:a:apache:fory:0.10.2
-
cpe:2.3:a:apache:fory:0.10.3
-
cpe:2.3:a:apache:fory:0.11.0
-
cpe:2.3:a:apache:fory:0.11.1
-
cpe:2.3:a:apache:fory:0.11.2
-
cpe:2.3:a:apache:fory:0.12.0
-
cpe:2.3:a:apache:fory:0.12.1
-
cpe:2.3:a:apache:fory:0.12.2
-
cpe:2.3:a:apache:fory:0.12.3
-
cpe:2.3:a:apache:fory:0.13.0
-
cpe:2.3:a:apache:fory:0.13.1
-
cpe:2.3:a:apache:fory:0.13.2
-
cpe:2.3:a:apache:fory:0.14.0
-
cpe:2.3:a:apache:fory:0.14.1
-
cpe:2.3:a:apache:fory:0.15.0
-
cpe:2.3:a:apache:fory:0.16.0
-
cpe:2.3:a:apache:fory:0.17.0
-
cpe:2.3:a:apache:fory:0.2.0
-
cpe:2.3:a:apache:fory:0.2.1
-
cpe:2.3:a:apache:fory:0.3.0
-
cpe:2.3:a:apache:fory:0.3.1
-
cpe:2.3:a:apache:fory:0.4.0
-
cpe:2.3:a:apache:fory:0.4.1
-
cpe:2.3:a:apache:fory:0.5.0
-
cpe:2.3:a:apache:fory:0.5.1
-
cpe:2.3:a:apache:fory:0.6.0
-
cpe:2.3:a:apache:fory:0.7.0
-
cpe:2.3:a:apache:fory:0.7.1
-
cpe:2.3:a:apache:fory:0.8.0
-
cpe:2.3:a:apache:fory:0.9.0
-
cpe:2.3:a:apache:fory:1.0.0