CVE-2025-71354
HIGHpicklescan - Remote Code Execution via idlelib.debugobj.ObjectTreeItem.SetText
Title source: cnaDescription
picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.debugobj.ObjectTreeItem.SetText function in reduce methods. Attackers can craft pickle files with embedded code that bypasses picklescan detection and executes arbitrary commands when pickle.load() is called.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-3vg9-h568-4w9m)
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-3vg9-h568-4w9m
Third Party Advisory third-party-advisory
VulnCheck Advisory: picklescan - Remote Code Execution via idlelib.debugobj.ObjectTreeItem.SetText
https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-idlelib-debugobj-objecttreeitem-settext
Scores
CVSS v3
8.1
EPSS
0.0025
EPSS Percentile
16.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (3)
picklescan/picklescan
< 0.0.29
picklescan/picklescan
0.0.29
pypi/picklescan
0 - 0.0.29PyPI
Published
Jun 24, 2026
Tracked Since
Jun 24, 2026