79 Gadgets Hidden in a Single Deserialization Flaw: CVE-2026-25632
ID: a2c6c1fd-65fb-5965-99a4-2b2c650ec096
STIX ID: report--a2c6c1fd-65fb-5965-99a4-2b2c650ec096
Feed Name: Blog – Maze
Threat Score
EPyT-Flow CVE-2026-25632 is a critical deserialization flaw allowing an attacker-controlled __type__ JSON field to import arbitrary modules and invoke callables, enabling RCE and SSRF; researchers mapped 79 exploitable stdlib gadgets (including 12 RCE and 25 SSRF paths), found two OWASP CRS WAF bypasses, coordinated fixes with maintainers, and advise immediate upgrade to EPyT-Flow 0.16.1 or application-level allowlisting.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
