CVE-2026-53873
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitrary Python code while picklescan reports zero security issues.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| picklescan | picklescan | 0 < 1.0.4 | affected |
| picklescan | picklescan | 1.0.4 | unaffected |
Weaknesses
- CWE-184: Incomplete List of Disallowed Inputs
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
Additional References
References
- https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7wx9-6375-f5wh
- https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-profile-run-blocklist-bypass
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.