CVE Catalog

CVE-2026-3490

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.62%

45th percentile — higher than 45% of all known CVEs

Summary

Picklescan versions before 1.0.4 fail to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist through indirect REDUCE calls. Attackers can invoke any blocked function, leading to remote code execution.

Risk Assessment

Organizations are at risk of remote code execution, which can lead to serious security breaches and data loss.

Recommendation

It is recommended to update Picklescan to version 1.0.4 or later to block the ability to bypass the blocklist.

Original NVD description (English source)

picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote code execution.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS