CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2021-47952 — python jsonpickle 2.0.0 contains a remote code execution vulnerability that allo...

·Source: NIST NVD

Updated:

Executive Summary

python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Attackers can craft JSON strings with py/repr directives that invoke the eval function during deserialization to execute system commands and arbitrary code.

Analysis

python jsonpickle 2.0.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary Python commands by deserializing malicious JSON payloads containing py/repr objects. Attackers can craft JSON strings with py/repr directives that invoke the eval function during deserialization to execute system commands and arbitrary code. CVSS Score: 9.8. Published: 2026-05-16T16:16:21.520.

Indicators of Compromise (1)

CVE (1)
CVE-2021-47952
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on May 16, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerability

Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt

Grafana has disclosed that an "unauthorized party" obtained a token that granted them the ability to access the company's GitHub environment and download its codebase. "Our investigation has determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations," Grafana said in a series of

The Hacker News
CRITICALVulnerability

Microsoft rejects critical Azure vulnerability report, no CVE issued

A security researcher claims Microsoft quietly fixed an Azure Backup for AKS vulnerability after rejecting his report, and without issuing a CVE. Microsoft disputes the claim, telling BleepingComputer the behavior was expected and that "no product changes were made," despite the researcher documenting a silent fix. [...]

BleepingComputer
MEDIUMVulnerability

Another detail emerges about Instructure’s agreement with ShinyHunters; Debate continues about whether to pay

Media outlets have been understandably eager to learn whether Instructure paid ShinyHunters after the latter attacked them for a second time on May 7. Considering that they pledged to be more transparent, DataBreaches doesn’t fully understand why Instructure wasn’t more forthright about the payment issue in its update, unless they were trying to avoid encouraging... Source

DataBreaches.net