Moderate severityNVD Advisory· Published Jun 22, 2026

picklescan - Remote Code Execution via idlelib.autocomplete.AutoComplete.get_entity

CVE-2025-71358

Description

picklescan before 0.0.29 fails to detect malicious pickle files that exploit idlelib.autocomplete.AutoComplete.get_entity function in reduce methods. Attackers can embed undetected code in pickle files that executes arbitrary commands when loaded by victims using pickle.load().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
picklescanPyPI	< 0.0.29	0.0.29

Affected products

Pypi/Picklescaninferred
Range: <0.0.29
Package: https://pypi.org/project/picklescan

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-6w4w-5w54-rjvrghsaADVISORY
github.com/mmaitre314/picklescan/security/advisories/GHSA-6w4w-5w54-rjvrghsavendor-advisoryWEB
www.vulncheck.com/advisories/picklescan-remote-code-execution-via-idlelib-autocomplete-autocomplete-get-entitymitrethird-party-advisory
github.com/mmaitre314/picklescan/commit/aecd11be98702caa9ba9b12189d91ad596a36114ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000