CVE-2025-71340

picklescan through 0.0.26 fails to detect malicious pickle files that invoke idlelib.pyshell.ModifiedInterpreter.runcode in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when the file is loaded via pickle.load, enabling supply chain attacks o...

CVE-2025-71340

CVE-2025-71340 affects the picklescan tool up to version 0.0.26, where malicious pickle files can invoke idlelib.pyshell.ModifiedInterpreter.runcode via reduce , allowing code execution when loaded with pickle.load(). This enables supply‑chain attacks on PyTorch models and saved Python objects. T...

EUVD-2025-29433

Malicious code in bioql PyPI...

Remote Code Execution (RCE)

picklescan is vulnerable to Remote Code Execution RCE. The vulnerability is due to the idlelib.run.Executive.runcode function executing arbitrary pickle files, which allows an attacker to run malicious code remotely...

Picklescan is missing detection when calling built-in python idlelib.run.Executive.runcode

Summary Using idlelib.run.Executive.runcode function, which is a built-in python library function to execute remote pickle file. Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to idlelib.run.Executive.runcode function in reduce method...

PT-2025-3828 · Kaiyuantong · Kaiyuantong Ect Platform

Name of the Vulnerable Software and Affected Versions: KaiYuanTong ECT Platform versions up to 2.0.0 Description: A critical issue has been found in the HTTP POST Request Handler component of the affected software, specifically in the file /public/server/runCode.php. The manipulation of the code...

PYSEC-2024-9

MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.runscript passes shell metacharacters to subprocess.Popen...

XSS to LFI in Runcode Feature

Description By default runcode santized document prefix but if html encode to...