Lucene search
K

14 matches found

EUVD
EUVD
added 2 days ago6 views

EUVD-2025-210413

picklescan before 0.0.33 fails to detect malicious pickle files using numpy.f2py.crackfortran.parameval function in reduce methods, allowing attackers to bypass security checks. Remote attackers can embed undetected code in pickle files that executes during deserialization, enabling arbitrary cod...

8.1CVSS6.6AI score0.00445EPSS
Exploits0References2
NVD
NVD
added 2026/05/27 8:16 p.m.11 views

CVE-2026-47161

RELATE is a web-based courseware package. Prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb, RELATE LMS configures its Celery workers to accept and deserialize untrusted 'pickle' data. An attacker who can reach the message broker can execute arbitrary commands on the host server. Combined...

8.7CVSS0.00489EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.13 views

PT-2026-44080

Name of the Vulnerable Software and Affected Versions RELATE versions prior to commit d66ba5659b459bf1ba56b7109b5f9ecf197cbefb Description RELATE LMS configures its Celery workers to accept and deserialize untrusted pickle data. Pickle is a Python module used for serializing and deserializing...

8.7CVSS6.5AI score0.00489EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/18 12:31 p.m.13 views

SGLanG: Multimodal scheduler deserializes untrusted pickle data on 0.0.0.0 ROUTER socket

SGLang's multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads on incoming messages, enabling RCE when exposed to the internet...

9.8CVSS5.8AI score0.00399EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/04/24 2:34 a.m.9 views

Deserialization of Untrusted Data

Overview ktransformers is a KTransformers: CPU-GPU heterogeneous inference framework for LLMs Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the balanceserve process. An attacker can execute arbitrary code by sending a crafted pickle payload to the expos...

9.8CVSS6.1AI score0.00703EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/23 9:24 p.m.30 views

CVE-2026-26210 KTransformers Unsafe Deserialization RCE via balance_serve

KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balanceserve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads without validation. Attackers can...

9.8CVSS0.00703EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/03/20 12:0 a.m.8 views

DeepDiff 资源管理错误漏洞

DeepDiff is a Python library developed by Sep Dehpour. Versions of DeepDiff from 5.0.0 to 8.6.2 had a resource management vulnerability. This vulnerability stemmed from the lack of restrictions on constructor parameters by the RestrictedUnpickler, which could lead to excessive memory consumption...

8.7CVSS5.8AI score0.00452EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2025/12/30 3:20 p.m.9 views

Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran._eval_length

Summary Picklescan uses the numpy.f2py.crackfortran.evallength function a NumPy F2PY helper to execute arbitrary Python code during unpickling. Details Picklescan fails to detect a malicious pickle that uses the gadget numpy.f2py.crackfortran.evallength in reduce, allowing arbitrary command...

8.1CVSS8AI score0.00301EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2025/10/22 4:45 p.m.8 views

EUVD-2025-35596

Scapy Session Loading Vulnerable to Arbitrary Code Execution via Untrusted Pickle Deserialization...

6.7AI score
Exploits0References3
Veracode
Veracode
added 2025/09/24 5:33 a.m.6 views

Remote Code Execution (RCE)

cProfile is vulnerable to Remote Code Execution RCE.The vulnerability is due to unsafe deserialization/execution because cProfile.runctx can be abused to execute code from untrusted pickle files passed into its execution context...

8AI score
Exploits0
Veracode
Veracode
added 2025/09/16 5:53 a.m.6 views

Remote Code Execution (RCE)

picklescan is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper handling of untrusted pickle data in the function’s reduce flow, which allows an attacker to craft a malicious pickle that bypasses the victim’s Picklescan check and achieve arbitrary code execution when t...

8.3AI score
Exploits0
OSV
OSV
added 2025/03/20 10:15 a.m.8 views

PYSEC-2025-222

vllm-project vllm version 0.6.0 contains a vulnerability in the AsyncEngineRPCServer RPC server entrypoints. The core functionality runserverloop calls the function makehandlercoro, which directly uses cloudpickle.loads on received messages without any sanitization. This can result in remote code...

9.8CVSS6.4AI score0.01274EPSS
Exploits1References2
Veracode
Veracode
added 2024/09/16 8:25 a.m.7 views

Deserialization Of Untrusted Data

MindsDB is vulnerable to Deserialization of Untrusted Data. The vulnerability is caused due to improper deserialization of untrusted pickle data in the finetune method within byomhandler.py, which allows the execution of arbitrary code on the server during the 'finetune' process...

7.5CVSS7.3AI score0.00481EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2022/05/24 10:0 p.m.1 views

GHSA-9FQ2-X9R6-WFMF Numpy Deserialization of Untrusted Data

DISPUTED An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior...

9.8CVSS7.6AI score0.17078EPSS
Exploits2References14
Rows per page
Query Builder