CVE-2026-11815 | An attacker who intercepts and tampers with traffic between … | CVSS 5.3 MEDIUM

Description

An attacker who intercepts and tampers with traffic between the client application and the API Gateway server could potentially deserialize arbitrary objects. This vulnerability could lead to broken security expectations or remote code execution.

Metadata

CVE ID: CVE-2026-11815
State: PUBLISHED
Assigner: symantec
Reserved: 2026-06-09 16:10 UTC
Published: 2026-06-10 06:39 UTC
Last updated: 2026-06-10 14:42 UTC
Primary CWE: CWE-502
CWE-502 Deserialization of untrusted data
Vendor / Product: Broadcom / Layer 7 API Gateway
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:L/SA:L

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Broadcom	Layer 7 API Gateway	—	11.2.1

Weakness (CWE)

CWE	Source	Description
CWE-502	cna	CWE-502 Deserialization of untrusted data

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:L/SA:L

References (1)

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37631