CVE-2026-3967

MEDIUM 6.3

Alfresco Activiti Process Variable Serialization System SerializableType.java createObjectInputStream deserialization

CVSS Score

6.3

EPSS Score

0.0%

EPSS Percentile

0th

A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization System. This manipulation causes deserialization. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE	CWE-502 CWE-20
Vendor	alfresco
Product	activiti
Published	Mar 12, 2026
Last Updated	Mar 12, 2026

Stay Ahead of the Next One

Get instant alerts for alfresco activiti

Be the first to know when new medium vulnerabilities affecting alfresco activiti are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Alfresco / Activiti

7.0 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13 7.14 7.15 7.16 7.17 7.18 7.19 8.0 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/?id.350396 vuldb.com: https://vuldb.com/?ctiid.350396 vuldb.com: https://vuldb.com/?submit.768942 github.com: https://github.com/AnalogyC0de/public_exp/issues/16

Credits

🔍 Ana10gy (VulDB User) VulDB