CVE-2025-71359
Severity CVSS v4.0:
HIGH
Type:
CWE-502
Deserialization of Untrusted Dat
Publication date:
04/07/2026
Last modified:
04/07/2026
Description
picklescan before 0.0.29 fails to detect malicious pickle payloads that utilize lib2to3.pgen2.grammar.Grammar.loads in the reduce method, allowing remote code execution. Attackers can craft pickle files embedding dangerous code that evades picklescan detection and executes during pickle.load() deserialization.
Impact
Base Score 4.0
7.60
Severity 4.0
HIGH
Base Score 3.x
8.10
Severity 3.x
HIGH



