YetAnotherForum.NET Deserialization Flaw Allows Code Execution via Malicious User-Agent - CVE-2026-43938

A critical deserialization vulnerability has been identified in YetAnotherForum.NET (YAF.NET), a widely deployed C# ASP.NET forum platform. Tracked as CVE-2026-43938 with a CVSS score of 8.1 (High), the flaw resides in the application's database logger component located at YAFNET.Core/Logger/DbLogger.cs. The vulnerability stems from the logger capturing the incoming HTTP request's User-Agent header, placing it into a JObject structure, and subsequently serializing it using JsonConvert without proper sanitization or type validation. This creates a potential attack vector where specially crafted User-Agent strings could trigger unsafe deserialization during the logging process.

The vulnerability affects YAF.NET versions prior to 4.0.5 and 3.2.12. According to the disclosure, the core issue lies in how the application handles untrusted input during JSON serialization operations. When an attacker supplies a maliciously crafted User-Agent header containing serialized .NET objects, the vulnerable code path could enable remote code execution on the server hosting the forum software. The affected component is a core module that processes every incoming request, significantly expanding the potential attack surface.

Forum administrators running affected versions of YAF.NET should prioritize updating to patched releases (4.0.5 or 3.2.12) immediately. Organizations unable to apply updates immediately should consider implementing web application firewall rules to filter abnormal User-Agent patterns and monitor for suspicious logging activity. Given the forum platform's typical deployment in community and enterprise environments where user registration and posting are enabled, the vulnerability raises concerns about server-side compromise through client-facing request manipulation. Security teams should audit their YAF.NET installations and verify that logging pipelines do not expose deserialization sinks to untrusted input.