PT-2026-55671 · Picklescan · Picklescan

Fredericdt

·

Published

2026-07-04

·

Updated

2026-07-04

·

CVE-2025-71356

CVSS v3.1

8.1

High

VectorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
picklescan before 0.0.28 fails to detect malicious torch.fx.experimental.symbolic shapes.ShapeEnv.evaluate guards expression function calls in pickle files. Attackers can embed undetected code in pickle files that executes remote code when loaded by victims.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-71356

Affected Products

Picklescan