This is an automated email from the ASF dual-hosted git repository.
chaokunyang pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/fory-site.git
The following commit(s) were added to refs/heads/main by this push:
new a1a969eca5 update security page (#464)
a1a969eca5 is described below
commit a1a969eca57df5fcede1e9a50a025e50c890ba73
Author: Shawn Yang <[email protected]>
AuthorDate: Thu Jun 4 16:52:32 2026 +0800
update security page (#464)
---
src/pages/security/index.md | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/pages/security/index.md b/src/pages/security/index.md
index c038ad1e7c..1b52e97c29 100644
--- a/src/pages/security/index.md
+++ b/src/pages/security/index.md
@@ -9,6 +9,18 @@ Apache Fory™ uses the standard process outlined by the [Apache
Security Team](
To report a possible security vulnerability, please email
[email protected].
+### [CVE-2026-50076](https://www.cve.org/CVERecord?id=CVE-2026-50076): Apache
Fory: Java ReplaceResolverSerializer deserialization checks bypass
+
+Severity: Important
+
+Vendor: The Apache Software Foundation
+
+Versions affected: Apache Fory (org.apache.fory:fory-core) before 1.1.0
+
+Description: Deserialization of untrusted data in the Java replace-resolve
path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms
allows a remote attacker to bypass class registration, TypeChecker, and
DisallowedList checks and invoke classpath-present readResolve/readExternal
hooks via crafted Fory serialized data.
+
+Mitigation: Users are recommended to upgrade to version 1.1.0 or later, which
fixes this issue.
+
### [CVE-2026-48207](https://www.cve.org/CVERecord?id=CVE-2026-48207): PyFory
ReduceSerializer DeserializationPolicy bypass
Severity: Important
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]