CVE-2021-47952

CVE Database · CVE-2021-47952

CVE-2021-47952

· CRITICALDeferred

CVSS v3.1

9.8

CVSS v4.0

9.3

EPSS

0.63%

Published

May 16, 2026

Modified

May 26, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Attackers can craft JSON strings with py/repr directives that invoke the eval function during deserialization to execute arbitrary code.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-94

References (4)

https://github.com/jsonpickle/jsonpickle

https://jsonpickle.github.io

https://www.exploit-db.com/exploits/49585

https://www.vulncheck.com/advisories/python-jsonpickle-remote-code-execution-via-py-repr

KEV Catalog EPSS Scores Vendors All CVEs