EUVD-2026-31730
GHSA-4r4v-3jc5-hrg9
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A flaw has been found in changmingxie tcc-transaction up to 2.1.0. This issue affects the function Fastjson.parseObject of the component Fastjson AutoType REST API. This manipulation causes deserialization. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Unsafe deserialization in changmingxie tcc-transaction (versions up to 2.1.0) allows a remotely authenticated attacker with low privileges to exploit the Fastjson AutoType feature via the REST API, achieving limited confidentiality, integrity, and availability impact on the affected system. A proof-of-concept exploit exists (CVSS 4.0 E:P), referenced in a public GitHub bug report, though EPSS probability sits at just 0.04% (12th percentile) and SSVC assesses exploitation as none at time of analysis, indicating no observed active abuse. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have low-privilege authenticated access to the tcc-transaction REST API (CVSS PR:L confirmed), meaning unauthenticated exploitation is not supported by the available data. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Despite involving a network-accessible deserialization vector (AV:N/AC:L/AT:N), the CVSS 4.0 base score is 2.1 (Low), driven primarily by constrained impact metrics: all three impact dimensions (VC:L/VI:L/VA:L) are scored Low, and there is no subsequent system impact (SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privilege credentials to the tcc-transaction REST API crafts a JSON request body containing a malicious `@type` directive targeting a gadget class available on the server's Java classpath, then submits it to an endpoint that invokes `Fastjson.parseObject`. Fastjson's AutoType mechanism instantiates the specified class and invokes setters or constructors with attacker-supplied values, resulting in limited unauthorized read, write, or availability impact on the host. … |
| Remediation | No vendor-released patch has been identified at time of analysis - the vendor did not respond to the coordinated disclosure. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today