Lucene search
+L

156 matches found

cve
cve
added 2026/06/23 12:12 p.m.20 views

CVE-2025-71341

CVE-2025-71341 : The affected component is picklescan (versions before 0.0.29). The root cause is that the analyzer fails to detect the profile.Profile.runctx function when inspecting pickle files, specifically in the reduce method. This enables remote attackers to craft pickle payloads that embe...

8.1CVSS6.5AI score0.00466EPSS
Exploits0References2
cve
cve
added 2026/06/22 9:4 p.m.21 views

CVE-2025-71358

CVE-2025-71358 concerns the Python tool picklescan (pre-0.0.29) failing to detect malicious pickle payloads that exploit the function idlelib.autocomplete.AutoComplete.get_entity in reduce methods. When a crafted pickle is loaded with pickle.load(), arbitrary commands can execute, enabling remote...

8.1CVSS6.1AI score0.00248EPSS
Exploits0References2
cvelist
cvelist
added 2026/06/22 9:4 p.m.21 views

CVE-2025-71358 picklescan - Remote Code Execution via idlelib.autocomplete.AutoComplete.get_entity

picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.autocomplete.AutoComplete.getentity function in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when loaded by victims using pickle.load...

8.1CVSS0.00248EPSS
Exploits0References2
euvd
euvd
added 2026/06/22 9:4 p.m.7 views

EUVD-2025-210302

picklescan before 0.0.30 affected versions 0.0.26 and earlier fails to detect the ensurepip.runpip built-in function when scanning pickle files, allowing attackers to execute arbitrary code. Malicious pickle files embedding ensurepip.runpip calls in reduce methods bypass picklescan detection and...

8.1CVSS6.8AI score0.00367EPSS
Exploits0References2
attackerkb
attackerkb
added 2026/06/22 9:4 p.m.4 views

CVE-2025-71339

Picklescan before 0.0.33 fails to detect the numpy.f2py.crackfortran.evallength gadget in pickle reduce methods, allowing arbitrary code execution. Attackers can craft malicious pickle files that execute arbitrary Python code when loaded by victims who trust Picklescan's safety validation...

8.1CVSS6.2AI score0.00301EPSS
Exploits0References3
snyk
snyk
added 2026/06/21 3:12 p.m.4 views

Deserialization of Untrusted Data

Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the runcommand function of idlelib.pyshell.ModifiedInterpreter when handling pickle files in reduce method...

9.6CVSS6.2AI score0.00276EPSS
Exploits1References2
nvd
nvd
added 2026/06/21 2:16 p.m.12 views

CVE-2025-71378

picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection and execute remote code when loaded via pickle.load...

8.1CVSS0.00338EPSS
Exploits1References2
nvd
nvd
added 2026/06/21 2:16 p.m.12 views

CVE-2025-71357

picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods. Attackers can embed undetected code in pickle files that executes remote commands when loaded by victims...

8.1CVSS0.00276EPSS
Exploits1References2
nvd
nvd
added 2026/06/21 2:16 p.m.16 views

CVE-2025-71351

picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit in the reduce method, allowing remote code execution. Attackers can craft pickle files that import dangerous libraries like os and execute arbitrary system commands, which evade picklescan detection and execute...

7.6CVSS0.00418EPSS
Exploits0References2
nvd
nvd
added 2026/06/21 2:16 p.m.13 views

CVE-2025-71348

picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils.configmodule.loadconfig function within reduce methods. Attackers can craft pickle files embedding arbitrary code that evades detection but executes during pickle.load, enabling remote code execution in supply...

8.1CVSS0.00397EPSS
Exploits1References2
cvelist
cvelist
added 2026/06/21 1:26 p.m.35 views

CVE-2025-71378 picklescan - Remote Code Execution via Undetected cProfile.runctx in Pickle Files

picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection and execute remote code when loaded via pickle.load...

8.1CVSS0.00338EPSS
Exploits1References2
euvd
euvd
added 2026/06/21 1:26 p.m.10 views

EUVD-2025-210293

picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods. Attackers can embed undetected code in pickle files that executes remote commands when loaded by victims...

8.1CVSS6AI score0.00276EPSS
Exploits1References2
attackerkb
attackerkb
added 2026/06/21 1:26 p.m.6 views

CVE-2025-71357

picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods. Attackers can embed undetected code in pickle files that executes remote commands when loaded by victims...

8.1CVSS6AI score0.00276EPSS
Exploits1References3
euvd
euvd
added 2026/06/21 1:26 p.m.7 views

EUVD-2025-210291

picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils.configmodule.loadconfig function within reduce methods. Attackers can craft pickle files embedding arbitrary code that evades detection but executes during pickle.load, enabling remote code execution in supply...

8.1CVSS6.7AI score0.00397EPSS
Exploits1References2
osv
osv
added 2026/06/21 1:26 p.m.3 views

CVE-2025-71348 picklescan - Arbitrary Code Execution via torch.utils._config_module.load_config Bypass

picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils.configmodule.loadconfig function within reduce methods. Attackers can craft pickle files embedding arbitrary code that evades detection but executes during pickle.load, enabling remote code execution in supply...

7.6CVSS6.8AI score0.00397EPSS
Exploits1References4
osv
osv
added 2026/06/17 6:35 p.m.9 views

GHSA-4MPJ-78P6-RJ59 Duplicate Advisory: PickleScan's profile.run blocklist mismatch allows exec() bypass

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7wx9-6375-f5wh. This link is maintained to preserve external references. Original Description picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level...

9.8CVSS6.3AI score0.0046EPSS
Exploits0References3
github
github
added 2026/06/17 6:35 p.m.11 views

Duplicate Advisory: picklescan missing detection by simple obfuscation of a `builtins.eval` call

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9m3x-qqw2-h32h. This link is maintained to preserve external references. Original Description picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute...

9.8CVSS6AI score0.00519EPSS
Exploits0References4Affected Software1
snyk
snyk
added 2026/06/17 6:35 p.m.3 views

Incomplete List of Disallowed Inputs

Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the incomplete deny-list in the deserialization. An attacker can execute arbitrary code on the end use...

9.8CVSS6.2AI score0.00623EPSS
Exploits0References2
osv
osv
added 2026/06/17 6:35 p.m.6 views

GHSA-5RPH-Q42J-36J9 Duplicate Advisory: Picklescan has pickle parsing logic flaw that leads to malicious pickle file bypass

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9gvj-pp9x-gcfr. This link is maintained to preserve external references. Original Description picklescan before 0.0.27 contains a parsing logic error in the listglobals function when handling STACKGLOBAL opcodes...

9.8CVSS5.2AI score0.00475EPSS
Exploits0References4
euvd
euvd
added 2026/06/17 3:5 p.m.10 views

EUVD-2026-37739

picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run function, allowing attackers to achieve arbitrary code execution via exec. Attackers can craft malicious pickle files calling profile.runstatement to execute arbitrary...

9.8CVSS6.3AI score0.0046EPSS
Exploits0References2
Rows per page
Query Builder