CVE-2021-47952

python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Attackers can craft JSON strings with py/repr directives that invoke the eval function during deserialization to execute arbitrary code.
Configurations

No configuration.

History

27 Jun 2026, 05:16

Type Values Removed Values Added
CWE CWE-502
References
  • () https://access.redhat.com/security/cve/CVE-2021-47952 -
  • () https://bugzilla.redhat.com/show_bug.cgi?id=2478170 -
  • () https://security.access.redhat.com/data/csaf/v2/vex/2021/cve-2021-47952.json -

26 May 2026, 14:16

Type Values Removed Values Added
Summary (en) python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Attackers can craft JSON strings with py/repr directives that invoke the eval function during deserialization to execute system commands and arbitrary code. (en) python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Attackers can craft JSON strings with py/repr directives that invoke the eval function during deserialization to execute arbitrary code.

16 May 2026, 16:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-05-16 16:16

Updated : 2026-06-27 05:16


NVD link : CVE-2021-47952

Mitre link : CVE-2021-47952

CVE.ORG link : CVE-2021-47952


JSON object : View

Products Affected

No product.

CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-502

Deserialization of Untrusted Data