CVE-2021-47935

HIGH

Sentry 8.2.0 Remote Code Execution via Pickle Deserialization

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47935. PoCs published by Mohin Paramasivam.

AI-analyzed exploit summary This exploit leverages a deserialization vulnerability in Sentry's audit log functionality to achieve authenticated remote code execution. It crafts a malicious pickle payload containing a reverse shell command, which is then submitted via an authenticated admin session.

Description

Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log entry data parameter. Attackers can submit crafted POST requests to the admin audit log endpoint with base64-encoded compressed pickle payloads in the data field to achieve code execution with application privileges.

Exploits (1)

exploitdb WORKING POC

by Mohin Paramasivam · pythonwebappspython

https://www.exploit-db.com/exploits/50318

View Code ZIP pw:eip

This exploit leverages a deserialization vulnerability in Sentry's audit log functionality to achieve authenticated remote code execution. It crafts a malicious pickle payload containing a reverse shell command, which is then submitted via an authenticated admin session.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Sentry < 8.2.2

Auth required

Prerequisites: Authenticated admin/superuser access · Valid credentials · Network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 10, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-50318

https://www.exploit-db.com/exploits/50318

Product product

Product Reference

https://sentry.io/welcome/

Third Party Advisory third-party-advisory

VulnCheck Advisory: Sentry 8.2.0 Remote Code Execution via Pickle Deserialization

https://www.vulncheck.com/advisories/sentry-remote-code-execution-via-pickle-deserialization

Scores

CVSS v3 8.8

EPSS 0.0048

EPSS Percentile 65.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (4)

pypi/sentry 0 - 8.1.4PyPI

pypi/sentry 8.2.0 - 8.2.2PyPI

sentry/sentry 8.2.0

Sentry/Sentry 8.2.0

Published May 10, 2026

Tracked Since May 10, 2026