Critical Defect Exposed: Flaw In Apache Fory Bypasses Deserialization Protections

Executive summary: A critical PyFory deserialization policy-bypass (CVE-2026-48207, CVSS 9.8) enables remote attackers to execute malicious operations without user interaction when applications run in Python-native mode with strict validation disabled; ReduceSerializer fails to enforce access controls. The flaw affects pyfory versions 0.13.0 through 0.17.0 and is remediated by upgrading to pyfory 1.0.0 or later.