This is an automated email from the ASF dual-hosted git repository. chaokunyang pushed a commit to branch update_security_page in repository https://gitbox.apache.org/repos/asf/fory-site.git
commit 8b91e35050d96f7af076bde3a3134b5ae9f45807 Author: 慕白 <[email protected]> AuthorDate: Thu Jun 4 16:50:10 2026 +0800 Add CVE-2026-50076 security advisory --- src/pages/security/index.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/pages/security/index.md b/src/pages/security/index.md index c038ad1e7c..1b52e97c29 100644 --- a/src/pages/security/index.md +++ b/src/pages/security/index.md @@ -9,6 +9,18 @@ Apache Fory™ uses the standard process outlined by the [Apache Security Team]( To report a possible security vulnerability, please email [email protected]. +### [CVE-2026-50076](https://www.cve.org/CVERecord?id=CVE-2026-50076): Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass + +Severity: Important + +Vendor: The Apache Software Foundation + +Versions affected: Apache Fory (org.apache.fory:fory-core) before 1.1.0 + +Description: Deserialization of untrusted data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data. + +Mitigation: Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue. + ### [CVE-2026-48207](https://www.cve.org/CVERecord?id=CVE-2026-48207): PyFory ReduceSerializer DeserializationPolicy bypass Severity: Important --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
