← All CVEs

CVE-2025-71321

CRITICAL 9.3

Published 2026-06-17 · Last modified 2026-06-17

picklescan before 0.0.33 contains an arbitrary file writing vulnerability that allows attackers to bypass the dangerous blocklist by using distutils.file_util.write_file. Attackers can construct malicious pickle objects to overwrite critical system files and achieve denial of service or remote code execution.

ELEVATED IMPACT

Severe if exploited (CVSS 9.3), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.6%chance of exploitation in 30 days · 45th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

9.3CVSS 4.0 · CRITICAL

  • ConfidentialityHigh
  • IntegrityHigh
  • AvailabilityHigh

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable
  • Requirements: No special attack requirements

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Picklescan

Products Picklescan

Weakness (CWE)

  • CWE-502: Deserialization of untrusted data

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Sources: NVD · CVE.org · EPSS