Arbitrary Code Execution Vulnerability in Picklescan Software by Maitre314
CVE-2025-71348

7.6HIGH

Key Information:

Vendor: Picklescan
Status: Picklescan
Vendor: CVE Published:; 21 June 2026

What is CVE-2025-71348?

Picklescan versions prior to 0.0.28 are susceptible to a significant vulnerability that enables attackers to exploit the functionality of malicious pickle files. By circumventing detection mechanisms, these crafted pickle files can invoke the 'torch.utils._config_module.load_config' function during deserialization processes, specifically within reduce methods. This flaw allows for the execution of arbitrary code during the pickle.load operation, posing a substantial risk of remote code execution in supply chain contexts.

Affected Version(s)

picklescan 0 < 0.0.28

picklescan 0.0.28

References

https://github.com/mmaitre314/picklescan/security/advisor...

vendor-advisory

https://www.vulncheck.com/advisories/picklescan-arbitrary...

third-party-advisory

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 21, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

FredericDT

CVE-2025-71348 Data

JSON