Max
1 CVEs
product
Monthly
Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Deserialization
RCE
Max
NVD
GitHub
CVSS 3.1
8.4
EPSS
0.1%
CVE-2025-60455
EPSS 0%
CVSS 8.4
HIGH
POC
PATCH
This Week
Unsafe Deserialization vulnerability in Modular Max Serve before 25.6, specifically when the "--experimental-enable-kvcache-agent" feature is used allowing attackers to execute arbitrary code. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Deserialization
RCE
Max
NVD
GitHub