CVE•Published 2026-06-22•Modified 2026-06-23•0 articles on news•6 live references•NVD data

CVE-2026-48517Messagepack · Messagepack

Vulnerability data via NVD (ingested)

CVSS v3.1

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS percentile

—

Weaknesses (CWE)

CWE-470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')CWE-502Deserialization of Untrusted Data

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's typeless deserialization includes MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisallowed(Type) as a safety check for dangerous types. The default implementation checks the outer type name, but it does not recursively inspect array element types or generic type arguments. As a result, a type that would be blocked directly can be wrapped inside an array or constructed generic type and pass the outer type check. The formatter machinery can then materialize formatters for the inner blocked type. This vulnerability is fixed in 2.5.301 and 3.1.7.

Timeline

Published 2026-06-22

Modified 2026-06-23

External references

NVD MITRE Exploit-DB GitHub PoC Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-48517

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product

product:"Messagepack Messagepack"

All exposed Messagepack Messagepack instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Messagepack"

HTTP body or banner mentions "Messagepack" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-48517