CVE Catalog

CVE-2026-31072

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.81%

52th percentile — higher than 52% of all known CVEs

Summary

The vulnerability in APScheduler allows Remote Code Execution (RCE) via insecure deserialization in JSONSerializer and CBORSerializer classes. The unmarshal_object function enables arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment.

Risk Assessment

An attacker can exploit this by submitting a crafted JSON or CBOR payload to an application using these serializers, potentially leading to full system compromise.

Recommendation

Immediately update APScheduler to a patched version or stop using JSONSerializer and CBORSerializer until fixes are released.

Original NVD description (English source)

The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers

Vulnerability data from NVD (NIST) · CISA KEV · EPSS