Skip to main content

Datrie CVE-2026-5659

| EUVD-2026-19235 LOW
Deserialization of Untrusted Data (CWE-502)
2026-04-06 VulDB GHSA-wc65-8wqw-hgc9
Deserialization Datrie
Low
Disputed · 2.1 NVD

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 07, 2026 - 13:20 vuln.today
Public exploit code
EUVD ID Assigned
Apr 06, 2026 - 13:30 euvd
EUVD-2026-19235
Analysis Generated
Apr 06, 2026 - 13:30 vuln.today
CVE Published
Apr 06, 2026 - 13:00 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was found in pytries datrie up to 0.8.3. The affected element is the function Trie.load/Trie.read/Trie.__setstate__ of the file src/datrie.pyx of the component trie File Handler. The manipulation results in deserialization. The attack can be launched remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Unsafe deserialization in pytries datrie through version 0.8.3 enables remote code execution when loading untrusted trie files via Trie.load(), Trie.read(), or Trie.__setstate__(). Unauthenticated remote attackers can exploit this vulnerability by crafting malicious serialized trie objects; publicly available exploit code exists, and the maintainers have not yet addressed the issue despite early notification.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents a realistic and high-priority risk despite a moderate CVSS score of 6.3. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious serialized trie object and distributes it as a seemingly legitimate trie data file (e.g., via email, a compromised package repository, or a file-sharing platform). When a developer or automated system loads this file using Trie.load() or Trie.read(), the embedded malicious Python objects are deserialized and executed with the privileges of the running Python process, allowing the attacker to achieve remote code execution. …
Remediation Upgrade to a patched version of pytries datrie as soon as one is released by the maintainers; users should monitor GitHub issue #109 (https://github.com/pytries/datrie/issues/109) for patch availability. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.3 Fixed

Share

CVE-2026-5659 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy