← back
CVE-2025-71347

picklescan - Undetected Remote Code Execution via numpy.f2py.crackfortran.param_eval

CVSS 7.6 HIGHCWE-502
Vexday Risk Score
18Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.6EPSS KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
04 Jul 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
picklescan before 0.0.33 fails to detect malicious pickle files using numpy.f2py.crackfortran.param_eval function in reduce methods, allowing attackers to bypass security checks. Remote attackers can embed undetected code in pickle files that executes during deserialization, enabling arbitrary code execution in applications loading untrusted pickle data.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Affected products
picklescan · picklescan