Filtered by vendor Picklescan
Subscriptions
Filtered by product Picklescan
Subscriptions
Total
5 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-71320 | 2 Mmaitre314, Picklescan | 2 Picklescan, Picklescan | 2026-06-20 | 9.8 Critical |
| picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when the pickle is deserialized. | ||||
| CVE-2025-71322 | 2 Mmaitre314, Picklescan | 2 Picklescan, Picklescan | 2026-06-20 | 8.8 High |
| PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan. | ||||
| CVE-2025-71323 | 2 Mmaitre314, Picklescan | 2 Picklescan, Picklescan | 2026-06-20 | 9.8 Critical |
| picklescan before 0.0.33 fails to block the ctypes module, allowing attackers to achieve remote code execution by invoking direct syscalls and accessing raw memory. Attackers can craft malicious pickle files using ctypes.WinDLL to load kernel32.dll and execute arbitrary commands, bypassing sandbox protections and gadget chain detection. | ||||
| CVE-2026-53873 | 2 Mmaitre314, Picklescan | 2 Picklescan, Picklescan | 2026-06-20 | 9.8 Critical |
| picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitrary Python code while picklescan reports zero security issues. | ||||
| CVE-2026-53874 | 2 Mmaitre314, Picklescan | 2 Picklescan, Picklescan | 2026-06-20 | 9.8 Critical |
| picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources. | ||||
Page 1 of 1.