PULSE
LIVE18signals / 24h
FEED
ransomthegentlemen reclama a Military Sealift Command · US · Transportation/Logisticsransomthegentlemen reclama a Advantage Home Health Care · US · Healthcareransomthegentlemen reclama a Sunway Scientific · TW · Manufacturingransomqilin reclama a Cafar · AR · Agriculture and Food Productionransominterlock reclama a Centre for Newcomers · CA · Public Sectorransominterlock reclama a Paragon Store Fixtures · US · Manufacturingransomakira reclama a Westcoast Communication Services · Telecommunicationransomakira reclama a Nesco Bus Maintenance · Transportation/Logisticsransomm3rx reclama a suppcentersa.com · ZA · Business Servicesransomm3rx reclama a arambol.co.uk · GB · Not Foundransomincransom reclama a Kyokuto Kaihatsu Kogyo · JP · Manufacturingransomnova reclama a Phi · Not Foundransomnova reclama a Digipro · Technologyransomnova reclama a Integrated Marketing Services · Business Servicesransomthegentlemen reclama a Military Sealift Command · US · Transportation/Logisticsransomthegentlemen reclama a Advantage Home Health Care · US · Healthcareransomthegentlemen reclama a Sunway Scientific · TW · Manufacturingransomqilin reclama a Cafar · AR · Agriculture and Food Productionransominterlock reclama a Centre for Newcomers · CA · Public Sectorransominterlock reclama a Paragon Store Fixtures · US · Manufacturingransomakira reclama a Westcoast Communication Services · Telecommunicationransomakira reclama a Nesco Bus Maintenance · Transportation/Logisticsransomm3rx reclama a suppcentersa.com · ZA · Business Servicesransomm3rx reclama a arambol.co.uk · GB · Not Foundransomincransom reclama a Kyokuto Kaihatsu Kogyo · JP · Manufacturingransomnova reclama a Phi · Not Foundransomnova reclama a Digipro · Technologyransomnova reclama a Integrated Marketing Services · Business Services
← All CVEs
CVE WatchJul 1, 2026

CVE-2025-71374

picklescan before 0.0.29 fails to detect the built-in python profile.Profile.run function when used in pickle reduce methods, allowing attac

CVSS

8.1

High

EPSS

0.6%

p46

KEV

Exploit Today

14

0-100

Published: Jun 30, 2026 · Last modified: Jul 1, 2026 · CWE-502

EPSS · 30d
0.6%EPSS · 30 days0.6%
2026-07-012026-07-17
Technical description

picklescan before 0.0.29 fails to detect the built-in python profile.Profile.run function when used in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files that bypass picklescan detection and achieve code execution upon deserialization.

Official references
Related CVEs
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2021-422379.8 CRI
99.9%
KEV80Sitecore XP Remote Command Execution Vulnerability8d
CVE-2026-456598.8 HIG
86.8%
KEV76Microsoft SharePoint Server Deserialization of Untrusted Data Vulnerability15d
CVE-2026-586449.8 CRI
70.7%
KEV71Microsoft SharePoint Deserialization of Untrusted Data Vulnerability19h
CVE-2026-125699.8 CRI
66.0%
KEV70PTC Windchill and FlexPLM Improper Input Validation Vulnerability17d
CVE-2026-505229.8 CRI
97.2%
29Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.2d
CVE-2025-560059.8 CRI
96.7%
29An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully.3d