SCA: security update for pyfory (GHSA-m5gw-83w2-7749)

critical Tenable Self-Hosted Container Security Plugin ID 444193

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented
DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An
application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with
strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module
attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are
recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the
affected ReduceSerializer paths and thus fixes this issue. (CVE-2026-48207)

Solution

Update the pyfory library and its related packages to version 1.0.0 or later.

See Also

https://github.com/advisories/GHSA-m5gw-83w2-7749

Plugin Details

Severity: Critical

ID: 444193

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 7/1/2026

Updated: 7/1/2026

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-48207

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/21/2026

Vulnerability Publication Date: 5/21/2026

Reference Information

CVE: CVE-2026-48207

cwe: CWE-502