CVE-2025-71362
Severity CVSS v4.0:
HIGH
Type:
CWE-502
Deserialization of Untrusted Dat
Publication date:
04/07/2026
Last modified:
04/07/2026
Description
picklescan before 0.0.33 fails to detect unsafe deserialization when numpy.f2py.crackfortran functions call eval on arbitrary strings. Attackers can embed malicious code in pickle files that executes when loaded from untrusted sources.
Impact
Base Score 4.0
7.60
Severity 4.0
HIGH
Base Score 3.x
8.10
Severity 3.x
HIGH



