What is the CVSS score of CVE-2026-25632?

CVE-2026-25632 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Python are affected by CVE-2026-25632?

A critical remote code execution vulnerability in EPyT-Flow allows unauthenticated attackers to execute arbitrary code on systems running the affected package through malicious JSON requests.. A patch is available.

How to fix or mitigate CVE-2026-25632?

Within 24 hours: Identify all systems running EPyT-Flow and isolate them from production networks if possible; disable REST API access or restrict to trusted networks only. Within 7 days: Implement network-level controls (WAF rules, API gateway restrictions) to block suspicious JSON type parameters; begin evaluation of alternative packages or version freezing strategy. Within 30 days: Develop and test a comprehensive remediation plan including potential system migration; establish vendor communication protocol to track patch availability.

Python CVE-2026-25632

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-02-06 security-advisories@github.com

GHSA-74vm-8frp-7w68

Python Command Injection Deserialization Epyt Flow

10.0

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

10.0 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 06, 2026 - 21:16 nvd

CRITICAL 10.0

DescriptionGitHub Advisory

EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1.

AnalysisAI

EPyT-Flow hydraulic simulation package has a CVSS 10.0 insecure deserialization enabling code execution when loading simulation scenario files.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious JSON with type field

Delivery

Send to REST API endpoint

Exploit

Deserializer imports attacker module

Execution

Instantiate subprocess.Popen

Impact

Execute arbitrary OS commands

Access

Craft malicious JSON with type field

Delivery

Send to REST API endpoint

Exploit

Deserializer imports attacker module

Execution

Instantiate subprocess.Popen

Impact

Execute arbitrary OS commands

Vulnerability AssessmentAI

Exploitation	EPyT-Flow versions prior to 0.16.1 with REST API exposed to network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 10.0 — used in water infrastructure research and simulation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker distributes a crafted EPyT-Flow scenario file containing a malicious pickle payload. When a researcher loads the file, the payload executes arbitrary code on their system.
Remediation	Update EPyT-Flow. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running EPyT-Flow and isolate them from production networks if possible; disable REST API access or restrict to trusted networks only. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49257 CRITICAL Act Now

10.0 Jun 18

Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on

CVE-2026-10561 CRITICAL Act Now

10.0 Jun 22

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom

CVE-2026-55255 CRITICAL Act Now

9.9 Jun 19

Cross-user flow execution in Langflow versions prior to 1.9.1 allows any authenticated API user to run another user's fl

CVE-2026-53753 CRITICAL Act Now

9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-38714 CRITICAL Act Now

9.8 Jun 18

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co

CVE-2026-25632 vulnerability details – vuln.today

Back

Python CVE-2026-25632

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code