CVE-2025-71320

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

9.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when the pickle is deserialized.

Vulnerability Details

Published Date

June 17, 2026

Last Modified

June 17, 2026

CWE ID

CWE-184

Source

NVD

Vendor

picklescan

Product

picklescan

External References

https://github.com/mmaitre314/picklescan/security/advisories/GHSA-84r2-jw7c-4r5q
https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-incomplete-disallowed-inputs
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-84r2-jw7c-4r5q

CVE-2025-71320

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment