CVE-2026-53874
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| picklescan | picklescan | 0 < 1.0.1 | affected |
| picklescan | picklescan | 1.0.1 | unaffected |
Weaknesses
- CWE-502: Deserialization of Untrusted Data
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
Additional References
References
- https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9m3x-qqw2-h32h
- https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-obfuscated-eval-call
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.