CVE Catalog

CVE-2026-53874

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.52%

40th percentile — higher than 40% of all known CVEs

Summary

Picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources.

Risk Assessment

Organizations may be exposed to arbitrary code execution by unauthenticated users, potentially leading to serious security breaches and data loss.

Recommendation

It is recommended to upgrade to version 1.0.1 or later to mitigate this vulnerability and implement strict controls regarding the sources of pickle files.

Original NVD description (English source)

picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS