{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4735", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-03-24T03:07:43.669Z", "datePublished": "2026-03-24T03:08:18.156Z", "dateUpdated": "2026-03-24T14:36:43.076Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T03:08:18.156Z"}, "title": "A stack overflow and DoS vulnerability in DTStack/chunjun", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "type": "CWE"}]}], "affected": [{"vendor": "DTStack", "product": "chunjun", "collectionURL": "https://github.com/DTStack/chunjun", "modules": ["\u200echunjun-core/src/main/java/com/dtstack/chunjun/util"], "programFiles": ["GsonUtil.java"], "versions": [{"status": "affected", "version": "0", "lessThan": "1.16.1", "versionType": "git"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in DTStack chunjun (\u200echunjun-core/src/main/java/com/dtstack/chunjun/util modules). This vulnerability is associated with program files GsonUtil.Java.\n\nThis issue affects chunjun: before 1.16.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Deserialization of Untrusted Data vulnerability in DTStack chunjun (\u200echunjun-core/src/main/java/com/dtstack/chunjun/util modules).<p> This vulnerability is associated with program files GsonUtil.Java.</p><p>This issue affects chunjun: before 1.16.1.</p>"}]}], "references": [{"url": "https://github.com/DTStack/chunjun/pull/1939", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "PROOF_OF_CONCEPT", "Safety": "NEGLIGIBLE", "Automatable": "YES", "Recovery": "USER", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:P/S:N/AU:Y/R:U/V:C/RE:M/U:Amber"}}], "credits": [{"lang": "en", "value": "TITAN Team (titancaproject@gmail.com)", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:36:35.935783Z", "id": "CVE-2026-4735", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:36:43.076Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4735", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T14:36:35.935783Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:36:39.466Z"}}], "cna": {"title": "A stack overflow and DoS vulnerability in DTStack/chunjun", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 8.7, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:P/S:N/AU:Y/R:U/V:C/RE:M/U:Amber", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "DTStack", "modules": ["\u200echunjun-core/src/main/java/com/dtstack/chunjun/util"], "product": "chunjun", "versions": [{"status": "affected", "version": "0", "lessThan": "1.16.1", "versionType": "git"}], "programFiles": ["GsonUtil.java"], "collectionURL": "https://github.com/DTStack/chunjun", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/DTStack/chunjun/pull/1939", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in DTStack chunjun (\u200echunjun-core/src/main/java/com/dtstack/chunjun/util modules). This vulnerability is associated with program files GsonUtil.Java.\n\nThis issue affects chunjun: before 1.16.1.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in DTStack chunjun (\u200echunjun-core/src/main/java/com/dtstack/chunjun/util modules).<p> This vulnerability is associated with program files GsonUtil.Java.</p><p>This issue affects chunjun: before 1.16.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T03:08:18.156Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4735", "state": "PUBLISHED", "dateUpdated": "2026-03-24T14:36:43.076Z", "dateReserved": "2026-03-24T03:07:43.669Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-03-24T03:08:18.156Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in DTStack chunjun (\u200echunjun-core/src/main/java/com/dtstack/chunjun/util modules). This vulnerability is associated with program files GsonUtil.Java.\n\nThis issue affects chunjun: before 1.16.1."}, {"lang": "es", "value": "Vulnerabilidad de Deserializaci\u00f3n de Datos No Confiables en DTStack chunjun (m\u00f3dulos chunjun-core/src/main/java/com/dtstack/chunjun/util). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa GsonUtil.Java.\n\nEste problema afecta a chunjun: anterior a 1.16.1."}], "id": "CVE-2026-4735", "lastModified": "2026-04-30T16:01:57.470", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-03-24T04:17:26.117", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/DTStack/chunjun/pull/1939"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.16.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "chunjun", "source": "cna", "vendor": "DTStack"}, "product": "chunjun", "vendor": "dtstack"}], "analysis": {"en": {"generated_at": "2026-03-24T05:22:32.384323+00:00", "value": {"mitigation_remediation": ["Upgrade to DTStack chunjun version 1.16.1 or later."], "summary": {"action": "Patch Now", "impact": "Denial of Service and Stack Overflow"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to all installations of DTStack chunjun that use the chunjun-core component and are running versions earlier than 1.16.1. Any deployment that incorporates these components is at risk.", "description_and_impact": "DTStack chunjun\u2019s core utility deserializes incoming data without verifying its integrity, leading to a stack overflow when malicious input is processed. This flaw results in a denial\u2011of\u2011service condition for affected applications.", "risk_and_exploitability": "The CVSS base score of 8.7 indicates high severity. EPSS data is unavailable and the vulnerability is not cataloged in the CISA KEV list. The attack most likely requires an attacker to supply crafted input to the deserialization routine, which can cause application crashes or extended downtime."}}}}, "created": "2026-03-24T10:29:17.290980+00:00", "updated": "2026-03-25T20:40:22.550287+00:00", "vendors": ["dtstack", "dtstack$PRODUCT$chunjun"]}