CVE-2025-60236 EMV CVE debrief

Who should care

Administrators and users of EMV Creatify, especially those using versions 1.5 or earlier, should be aware of this critical vulnerability and take necessary actions to secure their systems.

Technical summary

The Deserialization of Untrusted Data vulnerability in EMV Creatify allows for Object Injection, which can lead to arbitrary code execution. The vulnerability is caused by the deserialization of untrusted data, which can be exploited by an attacker to inject malicious objects. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

critical

Recommended defensive actions

• Update Creatify to the latest version, if available.
• Apply patches or hotfixes provided by the vendor, if available.
• Restrict access to the affected systems and limit the attack surface.
• Implement input validation and sanitization to prevent deserialization of untrusted data.
• Monitor systems for suspicious activity and implement incident response plans.
• Consider using a Web Application Firewall (WAF) to detect and prevent attacks.
• Review and update security policies and procedures to ensure secure coding practices.

Evidence notes

The information provided is based on the CVE record and NVD details. The CVE was published on 2026-06-17T14:17:31.320Z and last modified on 2026-06-17T15:16:36.183Z. The vulnerability is classified as CWE-502.

Official resources