Zero Day MonitorZDM

← Back to list

9.1

CVE-2026-50076EXPLOITEDPATCHED

apache · fory

Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass

Description

Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via crafted Fory serialized data. Users are recommended to upgrade to version 1.1.0 or later, which fixes this issue.

Affected Products

Vendor	Product	Versions
apache	fory	0

References

https://fory.apache.org/security(vendor-advisory)

Related News (2 articles)

Tier C

VulDB1d ago

CVE-2026-50076 | Apache Fory up to 1.0.x bypass deserialization

→ No new info (linked only)

Tier C

oss-security1d ago

CVE-2026-50076: Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass

→ No new info (linked only)

CVSS 3.19.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.1.0

CWECWE-502

PublishedJun 4, 2026

Last enriched1d agov2

Trending Score64

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34197EXPKEV

Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

MEDIUMCVE-2026-34479EXP

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

MEDIUMCVE-2026-34480EXP

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

MEDIUMCVE-2026-34477EXP

Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass

MEDIUMCVE-2026-34478

Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 4, 2026

Discovered by ZDM

Jun 4, 2026

Updated: description, affectedVersions, severity, activelyExploited

Jun 4, 2026

Actively Exploited

Jun 4, 2026

Patch Available

Jun 4, 2026

Version History

v2

Last enriched 1d ago

v2Tier C1d ago

Updated description with critical severity, added affected versions up to 1.0.x, and noted that the vulnerability is actively exploited.

descriptionaffectedVersionsseverityactivelyExploited

via VulDB

v11d ago

Initial creation