๐Ÿ” CVE Alert

CVE-2026-31072

CRITICAL 9.8
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th

The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers

Vendor n/a
Product n/a
Published May 19, 2026
Last Updated Jun 30, 2026
Stay Ahead of the Next One

Get instant alerts for n/a n/a

Be the first to know when new critical vulnerabilities affecting n/a n/a are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

n/a / n/a
n/a

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/agronholm/apscheduler gist.github.com: https://gist.github.com/nedlir/11fb77f35a59cbba73392a086b02a9c6 access.redhat.com: https://access.redhat.com/security/cve/CVE-2026-31072 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2479907 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31072.json