What is CVE-2026-48506?

CVE-2026-48506 is a high-severity vulnerability in Messagepack, classified under Uncontrolled Recursion. CVSS score: 7.5/10. Published 2026-06-22.

How severe is CVE-2026-48506?

High severity. CVSS v3 base score is 7.5 out of 10.

Vulnerability in Messagepack

CVE-2026-48506

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. T…

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Affected products

Messagepack
Messagepack-csharp — versions >= 3.1.7, < 3.1.7, < 2.5.301

Weakness classification (CWE)

CWE-674 — Uncontrolled Recursion

References

security-advisories@github.com (x_refsource_CONFIRM, Mitigation, Vendor Advisory)

Frequently asked questions

What is CVE-2026-48506?: CVE-2026-48506 is a high-severity vulnerability in Messagepack, classified under Uncontrolled Recursion. CVSS score: 7.5/10. Published 2026-06-22.
How severe is CVE-2026-48506?: High severity. CVSS v3 base score is 7.5 out of 10.