Description
A flaw has been found in changmingxie tcc-transaction up to 2.1.0. This issue affects the function Fastjson.parseObject of the component Fastjson AutoType REST API. This manipulation causes deserialization. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw exists in the Fastjson.parseObject function used by the AutoType REST API of tcc-transaction. By sending a crafted JSON payload, an attacker can trigger deserialization of arbitrary objects, which may result in remote code execution or other unintended operational effects. The weakness stems from insufficient input validation (CWE‑20) and insecure deserialization practices (CWE‑502).

Affected Systems

The vulnerability affects all releases of tcc‑transaction from changmingxie up to and including version 2.1.0. No later releases have been documented as fixing the issue, and the component is still exposed via REST API endpoints that accept JSON input.

Risk and Exploitability

With a CVSS score of 5.3 the flaw is rated moderate in severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploitation yet. The attack vector is remote, reaching the REST API over a network connection, so an attacker does not need local access to the target system.

Generated by OpenCVE AI on May 25, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade tcc‑transaction to a version newer than 2.1.0 if one exists
  • Disable the AutoType REST API endpoints or configure Fastjson to disable automatic type support in the application settings
  • Filter incoming requests to the affected API endpoints for malformed JSON payloads or apply network‑level controls to reduce the attack surface

Generated by OpenCVE AI on May 25, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in changmingxie tcc-transaction up to 2.1.0. This issue affects the function Fastjson.parseObject of the component Fastjson AutoType REST API. This manipulation causes deserialization. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way.
Title changmingxie tcc-transaction Fastjson AutoType REST API Fastjson.parseObject deserialization
First Time appeared Changmingxie
Changmingxie tcc-transaction
Weaknesses CWE-20
CWE-502
CPEs cpe:2.3:a:changmingxie:tcc-transaction:*:*:*:*:*:*:*:*
Vendors & Products Changmingxie
Changmingxie tcc-transaction
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Changmingxie Tcc-transaction
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-26T15:08:15.118Z

Reserved: 2026-05-25T09:37:31.224Z

Link: CVE-2026-9497

cve-icon Vulnrichment

Updated: 2026-05-26T15:08:09.389Z

cve-icon NVD

Status : Received

Published: 2026-05-25T20:16:38.137

Modified: 2026-05-25T20:16:38.137

Link: CVE-2026-9497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T13:00:11Z

Weaknesses