What is the CVSS score of EUVD-2026-30947?

EUVD-2026-30947 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of APScheduler are affected by EUVD-2026-30947?

APScheduler, a widely-used Python task scheduling library, contains a critical remote code execution vulnerability affecting all versions through 3.10.x and 4.0.0a5 in its JSON and CBOR…. A patch is available.

Is there a public PoC exploit available for EUVD-2026-30947?

Yes, a public proof-of-concept exploit is available for EUVD-2026-30947. Prioritise patching immediately. EPSS: 0.1%.

APScheduler EUVD-2026-30947

| CVE-2026-31072 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-05-19 mitre

GHSA-9cfw-f3f9-7mm7

RCE Python Deserialization Red Hat N A Suse

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 20, 2026 - 17:28 vuln.today

CVSS changed

May 20, 2026 - 17:22 NVD

9.8 (CRITICAL)

CVE Published

May 19, 2026 - 00:00 nvd

UNKNOWN (no severity yet)

DescriptionNVD

The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers

AnalysisAI

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deserialize attacker-controlled data via the bundled JSONSerializer or CBORSerializer. The unmarshal_object routine dynamically imports modules and invokes __setstate__ on arbitrary classes, letting an attacker pivot an untrusted payload into code execution; publicly available exploit code exists, though EPSS remains low at 0.06% (19th percentile).

RemediationAI

24 hours: Audit all systems running APScheduler versions ≤3.10.x or ≤4.0.0a5 to determine exposure and data sources. 7 days: For systems processing untrusted serialized input, immediately implement controls: disable JSONSerializer and CBORSerializer deserialization, restrict network access to APScheduler instances, or containerize with execution constraints. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory