CVE Catalog

CVE-2026-53873

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Summary

Picklescan before 1.0.4 contains an incomplete blocklist for the profile module, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitrary Python code.

Risk Assessment

Organizations may face serious security risks as attackers can exploit this vulnerability to run malicious code on systems using the vulnerable version of picklescan.

Recommendation

It is recommended to update picklescan to version 1.0.4 or later to mitigate this vulnerability and conduct a security audit of applications using this library.

Original NVD description (English source)

picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitrary Python code while picklescan reports zero security issues.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS