Description
Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts.
Published: 2026-04-28
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insecure deserialization flaw that allows an attacker to supply crafted input to the StellarGroup HPX application, potentially causing the execution of arbitrary code. When the flaw is triggered, the originating attacker can subvert the confidentiality, integrity, and availability of the affected system, resulting in a full compromise of the environment running the vulnerable component. The description indicates that the issue surfaces under certain conditions, but the specific prerequisites for exploitation are not detailed in the available data.

Affected Systems

StellarGroup HPX version 1.11.0 is the only documented affected product. No additional vendors, product lines or patch versions are listed, so the scope is limited to that single component.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog. The CVSS score is 9.8, indicating an extremely high severity. Based on the description, it is inferred that exploitation may be achieved remotely by supplying malicious data to the deserialization routine, although the exact attack vector is not specified. The risk to any system running the affected version is significant, especially if it is exposed to untrusted networks or users.

Generated by OpenCVE AI on May 2, 2026 at 00:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch for HPX 1.11.0 as soon as it becomes available.
  • If a patch is not yet released, disable or restrict the feature that accepts untrusted deserialization input.
  • Implement strict input validation to ensure only properly formed, trusted data is processed.
  • Monitor logs for anomalous deserialization activity and block suspicious payloads.

Generated by OpenCVE AI on May 2, 2026 at 00:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Stellar-group
Stellar-group hpx
CPEs cpe:2.3:a:stellar-group:hpx:*:*:*:*:*:*:*:*
Vendors & Products Stellar-group
Stellar-group hpx

Sat, 02 May 2026 01:00:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization Allows Arbitrary Code Execution in StellarGroup HPX 1.11.0

Thu, 30 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Stellargroup
Stellargroup hpx
Vendors & Products Stellargroup
Stellargroup hpx

Tue, 28 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Title Insecure Deserialization Allows Arbitrary Code Execution in StellarGroup HPX 1.11.0
Weaknesses CWE-502

Tue, 28 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts.
References

Subscriptions

Stellar-group Hpx
Stellargroup Hpx
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-30T15:22:55.199Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-60889

cve-icon Vulnrichment

Updated: 2026-04-30T12:27:18.667Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T16:16:05.763

Modified: 2026-05-18T18:23:32.877

Link: CVE-2025-60889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:45:30Z

Weaknesses