Deserialization Vulnerability in changmingxie tcc-transaction Affected by Fastjson AutoType REST API
CVE-2026-9497

5.3MEDIUM

Key Information:

Vendor

Changmingxie

Status
Tcc-transaction
Vendor
CVE Published:
25 May 2026

What is CVE-2026-9497?

A security flaw has been identified in the changmingxie tcc-transaction product, specifically within the Fastjson AutoType REST API's Fastjson.parseObject function. This vulnerability allows attackers to exploit deserialization features, potentially enabling unauthorized remote code execution. The flaw affects all versions up to 2.1.0, posing significant risks as unauthorized users can initiate attacks without needing physical access, thus increasing the urgency for patching and mitigation.

Affected Version(s)

tcc-transaction 2.0

tcc-transaction 2.1.0

References

https://vuldb.com/vuln/365480
vdb-entrytechnical-description
https://vuldb.com/vuln/365480/cti
signaturepermissions-required
https://vuldb.com/submit/814092
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ku4D3 (VulDB User)
VulDB CNA Team
.