Remote Code Execution Vulnerability in Picklescan by MMAITRE314
CVE-2025-71367

7.6HIGH

Key Information:

Vendor

Picklescan

Vendor
CVE Published:
4 July 2026

What is CVE-2025-71367?

Prior to version 0.0.34, Picklescan fails to properly detect the use of the _operator.attrgetter function within pickle payloads. This oversight allows remote attackers to circumvent existing security checks by crafting malicious pickle files. When these files are processed using pickle.load(), it can lead to the execution of arbitrary code, posing significant security risks for systems relying on this functionality.

Affected Version(s)

picklescan 0 < 0.0.34

picklescan 0.0.34

References

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

CoolwindHF
.