Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-47065 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-47065 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-47065 is a deserialization filter bypass vulnerability affecting Java-based serialization handling, specifically in components that process serialized object streams without properly overriding the resolveProxyClass method, allowing attackers to circumvent acceptMatchers class filters via java.lang.reflect.Proxy descriptors.

Technical Detail

The flaw exists because the affected implementation does not override resolveProxyClass, which is invoked when a serialized stream contains a TC_PROXYCLASSDESC descriptor representing a dynamic proxy class. An attacker who can supply a crafted serialized payload can exploit this gap to have a proxy class resolved and instantiated outside the bounds of the configured acceptMatchers deserialization filter, effectively bypassing the intended class allowlist. Successful exploitation could lead to remote code execution or arbitrary object instantiation depending on the gadget chains available in the target application's classpath, with a CVSS score of 9.8 reflecting the critical severity of unauthenticated, network-accessible exploitation.

Exploitation Status

No known exploit code has been publicly identified at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit. However, the underlying technique of bypassing Java deserialization filters via proxy class descriptors is a well-understood attack class, and the barrier to weaponization for a skilled attacker is relatively low given existing public research on Java deserialization gadget chains.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been identified for this CVE as of June 10, 2026.

What To Do

The vendor advisory notes this issue is fully addressed, so the primary action is to identify and patch any affected deployments to the remediated version as soon as possible, prioritizing internet-facing or network-accessible Java applications that process untrusted serialized data. Organizations should verify that their deserialization filter implementations explicitly override resolveProxyClass and apply appropriate class restrictions to proxy interfaces. As a defense-in-depth measure, restrict or disable Java serialization on endpoints where it is not operationally required, and deploy network-level controls to limit exposure of serialization endpoints to untrusted sources. Detection efforts should focus on monitoring for unexpected TC_PROXYCLASSDESC tokens in serialized traffic and anomalous class loading activity in Java application logs.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →