The Art of Hide and Seek: Making Pickle-Based Model Supply Chain Poisoning Stealthy Again

Pickle deserialization vulnerabilities have persisted throughout Python's history, remaining widely recognized yet unresolved. Due to its ability to transparently save and restore complex objects into byte streams, many AI/ML frameworks continue to adopt pickle as the model serialization protocol...

Remote Code Execution

getgrav/grav is vulnerable to remote code execution. An authenticated remote attacker is able to cause server side template injection via Twig which renders risky functions by default, such as system...