Arbitrary Code Execution in Picklescan Affected by Torch Function Calls
CVE-2025-71366

7.6HIGH

Key Information:

Vendor

Picklescan

Vendor
CVE Published:
4 July 2026

What is CVE-2025-71366?

In versions prior to 0.0.28, Picklescan fails to adequately validate calls to torch.utils.bottleneck.main.run_cprofile within pickle files. This oversight allows remote attackers to embed harmful code undetected. When victims load these compromised pickle files, malicious actions can be executed, potentially leading to significant security breaches.

Affected Version(s)

picklescan 0 < 0.0.28

picklescan 0.0.28

References

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

FredericDT
.