Deserialization of Untrusted Data

Overview llamafactory is an Easy-to-use LLM fine-tuning framework Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the torch.load function. An attacker can execute arbitrary commands by crafting a malicious .bin file that is then deserialized. PoC pyth...

GHSA-F2F7-GJ54-6VPV LLaMA-Factory Allows Arbitrary Code Execution via Unsafe Deserialization in Ilamafy_baichuan2.py

Description A critical vulnerability exists in the llamafybaichuan2.py script of the LLaMA-Factory project. The script performs insecure deserialization using torch.load on user-supplied .bin files from an input directory. An attacker can exploit this behavior by crafting a malicious .bin file th...

PT-2025-18684 · Unknown +1 · Llama Factory +1

Name of the Vulnerable Software and Affected Versions: LLaMA-Factory version prior to 1.0.0 Description: LLaMA Factory enables fine-tuning of large language models. A critical issue exists in the llamafy baichuan2.py script, which performs insecure deserialization using torch.load on user-supplie...

Hitachi Vantara Pentaho Business Analytics Server 安全漏洞

Hitachi Vantara Pentaho Business Analytics Server is a modern data blending, integration and business analytics platform from Hitachi, Ltd Hitachi, Japan. A security vulnerability exists in Hitachi Vantara Pentaho Business Analytics Server versions prior to 10.2.0.2, which stems from an...

The vulnerability of the Factory Default configuration of the Microprogramming Software for Digital Radio Data Transmission Devices Trio Q Data Radio, which allows a intruder to gain unauthorized access to protected information.

The vulnerability of the Factory Default configuration of the Microprogramming Software for Digital Radio Data Transmission Devices from Trio Q Data Radio is related to the insecure storage of confidential information. Exploiting this vulnerability could allow an intruder to gain unauthorized...

The vulnerability of the Factory Default configuration of the Microprogramming Software for Digital Radio Data Transmission Devices Trio Q Data Radio, which allows a perpetrator to compromise the confidentiality, integrity, and accessibility of the protected information.

The vulnerability of the Factory Default configuration of the Microprogramming Software for Digital Radio Data Transmission Devices from Trio Q Data Radio is related to the insecure initialization of resources. Exploiting this vulnerability could allow an attacker to compromise the confidentialit...

The vulnerability of the Factory Default configuration of the Microprogramming Software for Digital Radio Data Transmission Devices Trio Q Data Radio, which allows a intruder to gain unauthorized access to protected information.

The vulnerability of the Factory Default configuration of the Microprogramming Software for Digital Radio Data Transmission Devices from Trio Q Data Radio is related to the insecure initialization of resources. Exploiting this vulnerability can allow an intruder to gain unauthorized access to...

CVE-2025-2440

CWE-922: Insecure Storage of Sensitive Information vulnerability exists that could potentially lead to unauthorized access of confidential data when a malicious user, having physical access and advanced information on the file system, sets the radio in factory default mode...

CVE-2025-2440

CWE-922: Insecure Storage of Sensitive Information vulnerability exists that could potentially lead to unauthorized access of confidential data when a malicious user, having physical access and advanced information on the file system, sets the radio in factory default mode...

CVE-2025-2442

CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could potentially lead to unauthorized access which could result in the loss of confidentially, integrity and availability when a malicious user, having physical access, sets the radio to the factory default...

CVE-2025-2442

CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could potentially lead to unauthorized access which could result in the loss of confidentially, integrity and availability when a malicious user, having physical access, sets the radio to the factory default...

CVE-2025-2440

CVE-2025-2440 affects Schneider Electric Trio Q Licensed Data Radio. Affected: Trio Q radios with insecure storage that can disclose confidential data when a physical attacker sets the radio to factory default mode. Root cause: insecure storage of sensitive information; initialization/default sta...

PT-2025-15687 · Schneider Electric · Trio Q Data Radio +1

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: A vulnerability exists that could lead to loss of confidentiality when a malicious user, having physical access, sets the product in factory default mode where it does not correctly initiali...

PT-2025-15688 · Schneider Electric · Trio Q Data Radio +1

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: A vulnerability exists due to the initialization of a resource with an insecure default, potentially leading to unauthorized access. This could result in the loss of confidentiality,...

PT-2025-15686 · Schneider Electric · Trio Q Data Radio +1

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: A security issue exists due to insecure storage of sensitive information, potentially leading to unauthorized access of confidential data. This could happen when a malicious user with physic...

Google Android Denial of Service Vulnerability (CNVD-2025-12377)

Google Android is a Linux-based open source operating system from Google. Google Android suffers from a denial-of-service vulnerability, which stems from a code logic error that can be exploited by an attacker to trigger a factory reset without the user's consent, resulting in a denial of service...

Ivanti Releases Security Updates for Connect Secure, Policy Secure & ZTA Gateways Vulnerability (CVE-2025-22457)

Ivanti released security updates to address vulnerabilities CVE-2025-22457 in Ivanti Connect Secure, Policy Secure & ZTA Gateways. A cyber threat actor could exploit CVE-2025-22457 to take control of an affected system. CISA has added CVE-2025-22457 to its Known Exploited Vulnerabilities Catalog...

Exploit for Use of Hard-coded Credentials in Tp-Link Tl-Wr845N_Firmware

Poc-CVE-2024-57040 CVE-2024-57040 is a security vulnerability...

CVE-2024-56897

Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds, factory reset...

CVE-2024-56897

Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications to the device settings, such as disabling recording, disabling sounds, factory reset...