CVE-2026-53873
CriticalCVSS 9.8Summary
Picklescan before 1.0.4 contains an incomplete blocklist for the profile module, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitrary Python code.
Risk Assessment
Organizations may face serious security risks as attackers can exploit this vulnerability to run malicious code on systems using the vulnerable version of picklescan.
Recommendation
It is recommended to update picklescan to version 1.0.4 or later to mitigate this vulnerability and conduct a security audit of applications using this library.
Original NVD description (English source)
picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitrary Python code while picklescan reports zero security issues.

