EUVD-2026-14708
GHSA-q9jc-xq58-m52x
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber
Lifecycle Timeline
4DescriptionCVE.org
Deserialization of Untrusted Data vulnerability in DTStack chunjun (chunjun-core/src/main/java/com/dtstack/chunjun/util modules). This vulnerability is associated with program files GsonUtil.Java.
This issue affects chunjun: before 1.16.1.
AnalysisAI
A deserialization of untrusted data vulnerability exists in DTStack chunjun versions prior to 1.16.1, specifically in the GsonUtil.java module within chunjun-core. An attacker can exploit this CWE-502 flaw to execute arbitrary code by crafting malicious serialized objects that are processed during deserialization. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Remote unauthenticated attacker can exploit DTStack chunjun versions before 1.16.1 by sending untrusted serialized data to the GsonUtil.java deserialization handler. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | While CVSS score and vector are not provided, the vulnerability's CWE-502 classification combined with its location in a core utility function suggests high severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious JSON payload containing a serialized Java object with embedded gadget chain instructions. When chunjun processes this payload via GsonUtil deserialization without proper type validation, the gadget chain is instantiated and executed, granting the attacker remote code execution on the chunjun host with the privileges of the running process. … |
| Remediation | Immediately upgrade DTStack chunjun to version 1.16.1 or later to obtain the vendor patch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 7 days: Identify all affected systems and apply vendor patches promptly. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers
Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate
Remote code execution in Spinnaker's Orca and Rosco services allows authenticated users to achieve arbitrary Java class
Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re
Share
External POC / Exploit Code
Leaving vuln.today