OESA-2026-1595

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-1595

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2026-1595.json

JSON Data

https://api.osv.dev/v1/vulns/OESA-2026-1595

Upstream

CVE-2025-56005

Published

2026-03-15T05:55:57Z

Modified

2026-03-15T06:19:11.335526Z

Summary

python-ply security update

Details

/ply/ /ply--*.egg-info/

Security Fix(es):

An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the picklefile parameter in the yacc() function. This parameter accepts a .pkl file that is deserialized with pickle.load() without validation. Because pickle allows execution of embedded code via __reduce__(), an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully.(CVE-2025-56005)

Database specific

{
    "severity": "Critical"
}

References

Affected packages

openEuler:24.03-LTS / python-ply

Package

Name: python-ply
Purl: pkg:rpm/openEuler/python-ply&distro=openEuler-24.03-LTS

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.11-4.oe2403

Ecosystem specific

{
    "noarch": [
        "python-ply-help-3.11-4.oe2403.noarch.rpm",
        "python3-ply-3.11-4.oe2403.noarch.rpm"
    ],
    "src": [
        "python-ply-3.11-4.oe2403.src.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1595.json"