20 matches found
EUVD-2025-210392
picklescan before 0.0.29 fails to detect the built-in python profile.Profile.run function when used in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files that bypass picklescan detection and achieve code execution upon...
CVE-2025-71363
picklescan before 0.0.30 fails to detect cProfile.run function calls in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files with cProfile.run payloads that bypass picklescan detection and achieve code execution upon deserializatio...
CVE-2025-71374
picklescan before 0.0.29 fails to detect the built-in python profile.Profile.run function when used in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files that bypass picklescan detection and achieve code execution upon...
CVE-2025-71374
CVE-2025-71374 affects picklescan prior to 0.0.29. The library fails to detect the built-in Python profile.Profile.run function when used in pickle reduce methods, enabling remote attackers to craft malicious pickle files that bypass detection and achieve code execution upon deserialization. The ...
CVE-2025-71374 picklescan - Arbitrary Code Execution via Undetected profile.Profile.run
picklescan before 0.0.29 fails to detect the built-in python profile.Profile.run function when used in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files that bypass picklescan detection and achieve code execution upon...
CVE-2025-71374 picklescan - Arbitrary Code Execution via Undetected profile.Profile.run
picklescan before 0.0.29 fails to detect the built-in python profile.Profile.run function when used in pickle reduce methods, allowing attackers to execute arbitrary code. Remote attackers can craft malicious pickle files that bypass picklescan detection and achieve code execution upon...
CVE-2025-71363
CVE-2025-71363 affects the picklescan tool prior to 0.0.30. It fails to detect cProfile.run calls within pickle reduce methods, enabling remote attackers to craft malicious pickle files with cProfile.run payloads that bypass picklescan detection and cause code execution during deserialization.
PT-2026-54012
Name of the Vulnerable Software and Affected Versions picklescan versions prior to 0.0.29 Description The software fails to detect the built-in Python profile.Profile.run function when it is utilized within pickle reduce methods. This allows remote attackers to craft malicious pickle files that...
PYSEC-2026-455 PickleScan's profile.run blocklist mismatch allows exec() bypass
Summary picklescan v1.0.3 blocks profile.Profile.run and profile.Profile.runctx but does NOT block the module-level profile.run function. A malicious pickle calling profile.runstatement achieves arbitrary code execution via exec while picklescan reports 0 issues. This is because the blocklist ent...
CVE-2026-53873 picklescan - Arbitrary Code Execution via profile.run() Blocklist Bypass
picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run function, allowing attackers to achieve arbitrary code execution via exec. Attackers can craft malicious pickle files calling profile.runstatement to execute arbitrary...
Incomplete List of Disallowed Inputs
Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the unsafeglobals function. An attacker can execute arbitrary code by crafting a malicious pickle that...
PickleScan's profile.run blocklist mismatch allows exec() bypass
Summary picklescan v1.0.3 blocks profile.Profile.run and profile.Profile.runctx but does NOT block the module-level profile.run function. A malicious pickle calling profile.runstatement achieves arbitrary code execution via exec while picklescan reports 0 issues. This is because the blocklist ent...
GHSA-7WX9-6375-F5WH PickleScan's profile.run blocklist mismatch allows exec() bypass
Summary picklescan v1.0.3 blocks profile.Profile.run and profile.Profile.runctx but does NOT block the module-level profile.run function. A malicious pickle calling profile.runstatement achieves arbitrary code execution via exec while picklescan reports 0 issues. This is because the blocklist ent...
PT-2026-50467
Name of the Vulnerable Software and Affected Versions picklescan versions prior to 1.0.4 Description An incomplete blocklist for the profile module fails to block the module-level profile.run function. This allows attackers to achieve arbitrary code execution via exec by crafting malicious pickle...
EUVD-2026-1687
Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run is classified as SUSPICIOUS instead of OVERTLYMALICIOUS. If a user relies on...
EUVD-2025-29524
Malicious code in bioql PyPI...
EUVD-2025-29438
Malicious code in bioql PyPI...
Insecure Deserialization
picklescan is vulnerable to insecure deserialization. The vulnerability is due to executing remote pickle files using profile.Profile.run, which allows an attacker to run arbitrary code on the system...
GHSA-X696-VM39-CP64 Picklescan has a missing detection when calling built-in python profile.Profile.run
Summary Using profile.Profile.run, which is a built-in python library function to execute remote pickle file. Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to profile.Profile.run function in reduce method Then when the victim after...
Picklescan has a missing detection when calling built-in python profile.Profile.run
Summary Using profile.Profile.run, which is a built-in python library function to execute remote pickle file. Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to profile.Profile.run function in reduce method Then when the victim after...