| Name | CVE-2026-31048 |
| Description | An issue in the <code>pickle</code> protocol of Pyro v3.x allows attackers to execute arbitrary code via supplying a crafted pickled string message. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| pyro | source | (unstable) | (unfixed) | | | |
Notes
https://github.com/Sif-0x01/security-advisories/security/advisories/GHSA-7625-w9h5-83rv
This is specific to Pyro 3, later versions of Pyro as packaged in Debian
as src:pyro4 and src:pyro5 use the serpent serialiser, which is not affected