This is an automated email from the ASF dual-hosted git repository.

chaokunyang pushed a commit to branch add_CVE-2026-48207
in repository https://gitbox.apache.org/repos/asf/fory-site.git

commit 76f6d7f4dad99a93340a91779e26ef0cc9354c55
Author: 慕白 <[email protected]>
AuthorDate: Thu May 21 20:32:40 2026 +0800

    add cve 2026-48207
---
 src/pages/security/index.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/pages/security/index.md b/src/pages/security/index.md
index 9c5b0a45d4..c038ad1e7c 100644
--- a/src/pages/security/index.md
+++ b/src/pages/security/index.md
@@ -9,6 +9,18 @@ Apache Fory™ uses the standard process outlined by the [Apache 
Security Team](
 
 To report a possible security vulnerability, please email 
[email protected].
 
+### [CVE-2026-48207](https://www.cve.org/CVERecord?id=CVE-2026-48207): PyFory 
ReduceSerializer DeserializationPolicy bypass
+
+Severity: Important
+
+Vendor: The Apache Software Foundation
+
+Versions affected: 0.13.0 through 0.17.0 for pyfory
+
+Description: Deserialization of untrusted data in pyfory versions 0.13.0 
through 0.17.0 can bypass documented DeserializationPolicy validation in 
Python-native mode with `strict=False`. Applications are vulnerable when they 
deserialize attacker-controlled data and rely on a custom DeserializationPolicy 
to restrict unsafe classes, functions, or module attributes.
+
+Mitigation: Upgrade to pyfory version 1.0.0 or later, which consistently 
enforces DeserializationPolicy validation for this issue. Libraries and 
applications that depend on Apache Fory should update their dependency 
requirements and release patched versions.
+
 ### [CVE-2025-61622](https://www.cve.org/CVERecord?id=CVE-2025-61622): Python 
RCE via unguarded pickle fallback serializer in pyfory
 
 Severity: Critical


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to