cvedb.io
CVE-2025-64408
MEDIUM · CVSS 6.3
EPSS exploitation probability: 0%
Published 2025-11-19T11:15:47.790 · Last modified 2026-06-17T09:54:20.770

Summary

Apache Causeway faces Java deserialization vulnerabilities that allow remote code execution (RCE) through user-controllable URL parameters. These vulnerabilities affect all applications using Causeway's ViewModel functionality and can be exploited by authenticated attackers to execute arbitrary code with application privileges.  This issue affects all current versions. Users are recommended to upgrade to version 3.5.0, which fixes the issue.

Affected products

apache — causeway

Does this affect you?

Add your gear to cvedb and we'll alert you only when apache ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.