RCE in Picklescan
CVE-2026-53875
picklescan before 1.0.3 contains a scanning bypass vulnerability in the scan_pytorch function that allows attackers to embed malicious magic numbers via dynamic eval using the __reduce__ trick. Attackers can craft malicious PyTorch payload…
Affected products
- Picklescan — versions 0, 1.0.3
Weakness classification (CWE)
References
- disclosure@vulncheck.com (vendor-advisory)
- disclosure@vulncheck.com (patch)
- disclosure@vulncheck.com (patch)
- disclosure@vulncheck.com (third-party-advisory)