2 matches found
CVE-2026-48517 MessagePack-CSharp: Typeless deserialization type restrictions do not recurse into arrays or generic arguments
MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's typeless deserialization includes MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisallowedType as a safety check for dangerous types. The default implementation checks the outer type nam...
CVE-2026-48517
CVE-2026-48517 affects MessagePack-CSharp (MessagePack for C#). The vulnerability arises because typeless deserialization’s safety check (ThrowIfDeserializingTypeIsDisallowed) only validates the outer type name and does not recursively inspect inner types such as array element types or generic ty...