Sandbox Escape Vulnerability in alf.io Ticket Reservation System
CVE-2026-35482

8HIGH

Key Information:

Vendor: Alfio-event
Status: Alf.io
Vendor: CVE Published:; 2 June 2026

🔔 Create Alfio-event Vulnerability Alert

What is CVE-2026-35482?

The alf.io ticket reservation system is susceptible to a sandbox escape vulnerability that allows authenticated administrators to execute arbitrary operating system commands on the server. The issue arises from an unguarded injected Java object and an incomplete abstract syntax tree (AST) blocklist that inadvertently permits full sandbox escape via Java reflection, bypassing validation measures. This flaw impacts versions prior to 2.0-M5-2606, with subsequent versions addressing the critical security loophole.

Affected Version(s)

alf.io < 2.0-M5-2606

References

https://github.com/alfio-event/alf.io/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35482 Data

JSON