GHSA-rp46-r563-jrc7Medium

Apache Avro Java SDK is Vulnerable to Code Injection

Published
February 13, 2026
Last Modified
June 5, 2026

🔗 CVE IDs covered (1)

📋 Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Avro Java SDK when generating specific records from untrusted Avro schemas.

This issue affects Apache Avro Java SDK: all versions through 1.11.4 and version 1.12.0.

Users are recommended to upgrade to version 1.12.1 or 1.11.5, which fix the issue.

🎯 Affected products2

  • maven/org.apache.avro:avro-compiler:= 1.12.0
  • maven/org.apache.avro:avro-compiler:< 1.11.5

🔗 References (9)