logo

79 Gadgets Hidden in a Single Deserialization Flaw: CVE-2026-25632

ID: a2c6c1fd-65fb-5965-99a4-2b2c650ec096

STIX ID: report--a2c6c1fd-65fb-5965-99a4-2b2c650ec096

Feed Name: Blog – Maze

Threat Score
75/100

Date Published: 2026-04-14

Date Updated: 2026-07-16

Author: Nuno Lopes

...
...

EPyT-Flow CVE-2026-25632 is a critical deserialization flaw allowing an attacker-controlled __type__ JSON field to import arbitrary modules and invoke callables, enabling RCE and SSRF; researchers mapped 79 exploitable stdlib gadgets (including 12 RCE and 25 SSRF paths), found two OWASP CRS WAF bypasses, coordinated fixes with maintainers, and advise immediate upgrade to EPyT-Flow 0.16.1 or application-level allowlisting.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.