PatchSiren cyber security CVE debrief
CVE-2026-11460 Boost CVE debrief
A flaw has been found in Boost Serialization up to 1.91. The impacted element is an unknown function. This manipulation causes improper validation of specified type of input. It is possible to initiate the attack remotely. The exploit has been published and may be used. The maintainer was notified on Aug 2025 and a disclosure deadline was set for 90 days. The maintainer acknowledged but postponed indefinitely citing time concerns. No patch is currently available and the disclosure deadline has expired.
- Vendor
- Boost
- Product
- Serialization
- CVSS
- LOW 2.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-07
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-07
- Advisory updated
- 2026-06-08
Who should care
Users of Boost Serialization up to version 1.91 should be aware of this vulnerability and take necessary precautions to mitigate potential attacks.
Technical summary
The vulnerability is caused by improper validation of specified type of input in an unknown function of Boost Serialization up to 1.91. This allows for remote attacks.
Defensive priority
LOW
Recommended defensive actions
- Consider updating to a patched version of Boost Serialization, if available.
- Implement additional security measures to validate input and prevent potential attacks.
Evidence notes
The CVSS score for this vulnerability is 2.9, indicating a LOW severity. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Official resources
CVE-2026-11460 was published on 2026-06-07T20:16:39.993Z and modified on 2026-06-08T14:57:14.757Z.