Picklescan Picklescan
11 CVEs affecting Picklescan Picklescan. Latest disclosed: 2026-06-17. Critical: 7, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-3490 | Critical | 10.0 | 2026-06-17 | picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indi… |
CVE-2026-53874 | Critical | 9.8 | 2026-06-17 | picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested u… |
CVE-2026-53873 | Critical | 9.8 | 2026-06-17 | picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers… |
CVE-2025-71325 | Critical | 9.8 | 2026-06-17 | picklescan before 0.0.27 contains a parsing logic error in the _list_globals function when handling STACK_GLOBAL opcodes, failing to track arguments in the cor… |
CVE-2025-71323 | Critical | 9.8 | 2026-06-17 | picklescan before 0.0.33 fails to block the ctypes module, allowing attackers to achieve remote code execution by invoking direct syscalls and accessing raw me… |
CVE-2025-71321 | Critical | 9.8 | 2026-06-17 | picklescan before 0.0.33 contains an arbitrary file writing vulnerability that allows attackers to bypass the dangerous blocklist by using distutils.file_util… |
CVE-2025-71320 | Critical | 9.8 | 2026-06-17 | picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass se… |
CVE-2025-71322 | High | 8.8 | 2026-06-17 | PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can… |
CVE-2026-53872 | High | 7.5 | 2026-06-17 | picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining… |
CVE-2025-46417 | High | 7.5 | 2025-04-24 | The unsafe globals in Picklescan before 0.0.25 do not include ssl. Consequently, ssl.get_server_certificate can exfiltrate data via DNS after deserialization. |
CVE-2026-53875 | | 2026-06-17 | picklescan before 1.0.3 contains a scanning bypass vulnerability in the scan_pytorch function that allows attackers to embed malicious magic numbers via dynami… |