CVE-2026-50076
published 2026-06-04CVE-2026-50076: Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote…
PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.52%
40.2th percentile
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data.
Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | fory | < 1.1.0 | 1.1.0 |
| apache_software_foundation | apache_fory | < 1.1.0 | 1.1.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Apache Fory up to 1.0.x bypass deserialization
vuldb·2026-06-04·CVSS 9.1
CVE-2026-50076 [CRITICAL] Apache Fory up to 1.0.x bypass deserialization
A vulnerability, which was classified as critical, has been found in Apache Fory up to 1.0.x. Affected by this issue is the function bypass. The manipulation leads to deserialization.
This vulnerability is traded as CVE-2026-50076. It is possible to initiate the attack remotely. There is no exploit available.
It is advisable to upgrade the affected component.
GHSA
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeCheck
ghsa_unreviewed·2026-06-04
CVE-2026-50076 [CRITICAL] CWE-502 Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeCheck
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data.
Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-04
Published