EUVD-2026-38385

🗓️ 22 Jun 2026 21:14:54Reported by EUVDType

ExpandoObject deserialization can cause high CPU for large maps; fixed in 2.5.301 and 3.1.7.

Reporter	Title	Published	Views	Family All 5
ATTACKERKB	CVE-2026-48511	22 Jun 202621:14	–	attackerkb
CVE	CVE-2026-48511	22 Jun 202621:14	–	cve
Cvelist	CVE-2026-48511 MessagePack-CSharp: ExpandoObject formatter can perform quadratic insertion work on untrusted maps	22 Jun 202621:14	–	cvelist
NVD	CVE-2026-48511	22 Jun 202622:16	–	nvd
Positive Technologies	PT-2026-51395	22 Jun 202600:00	–	ptsecurity

[
  {
    "enisaIdVendor": [
      {
        "id": "92bfdc1c-47e6-36fa-b5fc-dcebe91b6d88",
        "vendor": {
          "name": "MessagePack-CSharp"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "28eda059-25f0-3a57-9ec7-e7b25a35c2f3",
        "product": {
          "name": "MessagePack-CSharp",
          "vendor": {
            "name": "MessagePack-CSharp"
          }
        },
        "product_version": "3.1.7, < 3.1.7"
      },
      {
        "id": "d5c6bae7-4dc2-3668-a5a5-36fad75dc1a5",
        "product": {
          "name": "MessagePack-CSharp",
          "vendor": {
            "name": "MessagePack-CSharp"
          }
        },
        "product_version": "< 2.5.301"
      }
    ]
  }
]

Source	Link
github	www.github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-2x83-8g95-xh59

22 Jun 2026 21:14Current

5.8Medium risk

Vulners AI Score5.8

CVSS 46.3