jsonpickle through 1.4.1 allows remote code execution during deserialization of a malicious payload through the decode() function.
