This is an automated email from the ASF dual-hosted git repository.

chaokunyang pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/fory-site.git


The following commit(s) were added to refs/heads/main by this push:
     new a1a969eca5 update security page (#464)
a1a969eca5 is described below

commit a1a969eca57df5fcede1e9a50a025e50c890ba73
Author: Shawn Yang <[email protected]>
AuthorDate: Thu Jun 4 16:52:32 2026 +0800

    update security page (#464)
---
 src/pages/security/index.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/pages/security/index.md b/src/pages/security/index.md
index c038ad1e7c..1b52e97c29 100644
--- a/src/pages/security/index.md
+++ b/src/pages/security/index.md
@@ -9,6 +9,18 @@ Apache Fory™ uses the standard process outlined by the [Apache 
Security Team](
 
 To report a possible security vulnerability, please email 
[email protected].
 
+### [CVE-2026-50076](https://www.cve.org/CVERecord?id=CVE-2026-50076): Apache 
Fory: Java ReplaceResolverSerializer deserialization checks bypass
+
+Severity: Important
+
+Vendor: The Apache Software Foundation
+
+Versions affected: Apache Fory (org.apache.fory:fory-core) before 1.1.0
+
+Description: Deserialization of untrusted data in the Java replace-resolve 
path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms 
allows a remote attacker to bypass class registration, TypeChecker, and 
DisallowedList checks and invoke classpath-present readResolve/readExternal 
hooks via crafted Fory serialized data.
+
+Mitigation: Users are recommended to upgrade to version 1.1.0 or later, which 
fixes this issue.
+
 ### [CVE-2026-48207](https://www.cve.org/CVERecord?id=CVE-2026-48207): PyFory 
ReduceSerializer DeserializationPolicy bypass
 
 Severity: Important


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to