Skip to content

CVE-2026-48517

is CVE-2026-48517real, exploitable, or a false positive? Here's the community verdict.

☆ Watch
High · CVSS 7.5EPSS 0.3%CWE-470

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's typeless deserialization includes MessagePackSerializerOptions.ThrowIfDeserializingTypeIsDisallowed(Type) as a safety check for dangerous types. The default implementation checks the outer type name, but it does not recursively inspect array element types or generic type arguments. As a result, a type that would be blocked directly can be wrapped inside an array or constructed generic type and pass the outer type check. The formatter machinery can then materialize formatters for the inner blocked type. This vulnerability is fixed in 2.5.301 and 3.1.7.

References

NVD MITRE CVE.org

Published

Embed this verdict
TruePositive verdict for CVE-2026-48517
Markdown
[![TruePositive verdict](https://www.truepositive.app/cve/CVE-2026-48517/badge.svg)](https://www.truepositive.app/cve/CVE-2026-48517)
HTML
<a href="https://www.truepositive.app/cve/CVE-2026-48517"><img src="https://www.truepositive.app/cve/CVE-2026-48517/badge.svg" alt="TruePositive verdict for CVE-2026-48517"></a>

Live badge that updates automatically as the community verdict changes.

Community ground truth

In your experience, is this finding real and exploitable?

0 verdicts
Not a real issue

No account needed. Anonymous verdicts post as an unverified signal. Log in to make yours verified and earn reputation.

Field notes & remediation

Verdicts are the quick signal. Notes are the evidence and fixes behind them.

No notes yet. Be the first to share what you saw, or a fix that worked.

    Add a field note or remediationoptional
    Note type

    What are you adding?

    Markdown supported · minimum 20 characters.

    Related CVEs

    Same weakness: CWE-470.