CVE-2025-71368 HIGH

CVE-2025-71368: picklescan - Arbitrary Code Execution via Undetected doctest.debug_script

Vendor Picklescan
Product picklescan
Weakness CWE-502 · Unsafe deserialization
Published June 30, 2026
Last update July 1, 2026

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

picklescan before 0.0.30 fails to detect the doctest.debug_script function when analyzing pickle files, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files embedding doctest.debug_script calls that bypass picklescan detection and execute arbitrary commands upon pickle.load invocation.

Key dates

02Disclosure timeline

June 30, 2026 CVE published
July 1, 2026 Record updated