This is an automated email from the ASF dual-hosted git repository.

chaokunyang pushed a commit to branch update_security_page
in repository https://gitbox.apache.org/repos/asf/fory-site.git

commit 8b91e35050d96f7af076bde3a3134b5ae9f45807
Author: 慕白 <[email protected]>
AuthorDate: Thu Jun 4 16:50:10 2026 +0800

    Add CVE-2026-50076 security advisory
---
 src/pages/security/index.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/pages/security/index.md b/src/pages/security/index.md
index c038ad1e7c..1b52e97c29 100644
--- a/src/pages/security/index.md
+++ b/src/pages/security/index.md
@@ -9,6 +9,18 @@ Apache Fory™ uses the standard process outlined by the [Apache 
Security Team](
 
 To report a possible security vulnerability, please email 
[email protected].
 
+### [CVE-2026-50076](https://www.cve.org/CVERecord?id=CVE-2026-50076): Apache 
Fory: Java ReplaceResolverSerializer deserialization checks bypass
+
+Severity: Important
+
+Vendor: The Apache Software Foundation
+
+Versions affected: Apache Fory (org.apache.fory:fory-core) before 1.1.0
+
+Description: Deserialization of untrusted data in the Java replace-resolve 
path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms 
allows a remote attacker to bypass class registration, TypeChecker, and 
DisallowedList checks and invoke classpath-present readResolve/readExternal 
hooks via crafted Fory serialized data.
+
+Mitigation: Users are recommended to upgrade to version 1.1.0 or later, which 
fixes this issue.
+
 ### [CVE-2026-48207](https://www.cve.org/CVERecord?id=CVE-2026-48207): PyFory 
ReduceSerializer DeserializationPolicy bypass
 
 Severity: Important


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to