CVE-2025-61622

CVE-2025-61622 describes a deserialization vulnerability in Apache Pyfory (and legacy PyFury) where untrusted data can trigger a pickle.loads path during deserialization, enabling remote code execution. Affected: Pyfory versions 0.12.0–0.12.2 and legacy PyFury 0.1.0–0.10.3. The issue arises from ...

CVE-2025-59328

CVE-2025-59328 describes a DoS vulnerability in the Apache Fory library caused by insecure deserialization of untrusted data. A remote attacker can submit a large, crafted payload that, when deserialized, fuels high CPU usage, leading to CPU exhaustion and unresponsiveness of the affected applica...

CVE-2026-50076

CVE-2026-50076 affects the Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM. The issue is a deserialization flaw in the Java replace-resolve path that allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and to invoke classpath-present readResolve/r...

CVE-2026-48207

CVE-2026-48207 affects Apache Fory: PyFory ReduceSerializer deserializes attacker-controlled data and could bypass DeserializationPolicy validation during reduce-state restoration and global-name resolution. Impact is high (CVSS 3.1: 9.8, CRITICAL, NETWORK/LOW/ NONE user interactions). The issue ...