CVE-2026-11460
HIGHBoost Serialization improper validation of specified type of input
Title source: cnaDescription
A flaw has been found in Boost Serialization up to 1.91. The impacted element is an unknown function. This manipulation causes improper validation of specified type of input. It is possible to initiate the attack remotely. The exploit has been published and may be used. The maintainer was notified on Aug 2025 and a disclosure deadline was set for 90 days. The maintainer acknowledged but postponed indefinitely citing time concerns. No patch is currently available and the disclosure deadline has expired.
References (6)
Core 6
Core References
Vdb Entry vdb-entry
VDB-369080 | Boost Serialization improper validation of specified type of input
https://vuldb.com/vuln/369080
Signature, Permissions Required signature
permissions-required
VDB-369080 | CTI Indicators (IOB, IOC)
https://vuldb.com/vuln/369080/cti
Third Party Advisory third-party-advisory
CVE-2026-11460 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-11460
Third Party Advisory third-party-advisory
Submit #814455 | boostorg boost serialization 1.91 CWE-1287, CWE-843 (Type Confusion)
https://vuldb.com/submit/814455
Issue Tracking issue-tracking
https://github.com/boostorg/serialization/issues/331
Scores
CVSS v3
7.3
EPSS
0.0031
EPSS Percentile
22.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1287
CWE-20
Status
published
Products (50)
Boost/Serialization
1.0
Boost/Serialization
1.1
Boost/Serialization
1.10
Boost/Serialization
1.11
Boost/Serialization
1.12
Boost/Serialization
1.13
Boost/Serialization
1.14
Boost/Serialization
1.15
Boost/Serialization
1.16
Boost/Serialization
1.17
... and 40 more
Published
Jun 07, 2026
Tracked Since
Jun 08, 2026