PYSEC-2026-26

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/avro/PYSEC-2026-26.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2026-26

Aliases

Published

2026-02-13T12:16:07.570Z

Modified

2026-05-20T09:18:53.723490Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

[none]

Details

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

References

Affected packages

PyPI / avro

Package

Name: avro; View open source insights on deps.dev
Purl: pkg:pypi/avro

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.11.5

Affected versions

1.*

1.3.3

1.4.1

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.6.0

1.6.1

1.6.2

1.6.3

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

1.7.7

1.8.0

1.8.1

1.8.2

1.9.0

1.9.1

1.9.2

1.10.0

1.10.1

1.10.2

1.11.0

1.11.1

1.11.2

1.11.3

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/avro/PYSEC-2026-26.yaml"