What is CVE-2026-32933?

CVE-2026-32933 is a high-severity vulnerability in Luckypennysoftware Automapper, classified under Uncontrolled Recursion. CVSS score: 7.5/10. Published 2026-03-20.

How severe is CVE-2026-32933?

High severity. CVSS v3 base score is 7.5 out of 10.

Vulnerability in Luckypennysoftware Automapper

CVE-2026-32933

AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls withou…

EPSS: 0.000 (8.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Luckypennysoftware Automapper — versions >= 16.0.0, < 16.1.1, < 15.1.1

Weakness classification (CWE)

CWE-674 — Uncontrolled Recursion

References

https://github.com/LuckyPennySoftware/AutoMapper/security/advisories/GHSA-rvv3-g6hj-g44x (x_refsource_CONFIRM)
https://github.com/LuckyPennySoftware/AutoMapper/commit/0afaf1e91648fca1a57512e94dd00a76ee016816 (x_refsource_MISC)
https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v15.1.1 (x_refsource_MISC)
https://github.com/LuckyPennySoftware/AutoMapper/releases/tag/v16.1.1 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-32933?: CVE-2026-32933 is a high-severity vulnerability in Luckypennysoftware Automapper, classified under Uncontrolled Recursion. CVSS score: 7.5/10. Published 2026-03-20.
How severe is CVE-2026-32933?: High severity. CVSS v3 base score is 7.5 out of 10.