Lucene search
K

39 matches found

NVD
NVD
added 6 days ago12 views

CVE-2026-14535

In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shortencodenode on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in...

9.8CVSS0.00304EPSS
Exploits1References4
NVD
NVD
added 6 days ago8 views

CVE-2026-14534

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules posixsubprocess, site, and atexit in the UNSAFEIMPORTS denylist fickle.py. Because these modules are absent from the denylist, fickling's checksafety function returns LIKELYSAFE with zero...

8.8CVSS0.00328EPSS
Exploits1References4
EUVD
EUVD
added 6 days ago9 views

EUVD-2026-41676

In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shortencodenode on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in...

8.8CVSS5.9AI score0.00304EPSS
Exploits1References4
Cvelist
Cvelist
added 6 days ago25 views

CVE-2026-14535 Fickling MLAllowlist analysis pass rendered inoperative by shared mutable state in AnalysisContext.shorten_code()

In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shortencodenode on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in...

8.8CVSS0.00304EPSS
Exploits1References4
CVE
CVE
added 6 days ago20 views

CVE-2026-14535

Summary: CVE-2026-14535 affects Trail of Bits fickling up to version 0.1.11. A logic error in the UnsafeImportsML and MLAllowlist passes causes shared mutable state (AnalysisContext.reported_shortened_code) to poison deduplication, rendering MLAllowlist dead code and allowing certain pickle paylo...

9.8CVSS5.9AI score0.00304EPSS
Exploits1References4Affected Software1
ATTACKERKB
ATTACKERKB
added 6 days ago6 views

CVE-2026-14534

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules posixsubprocess, site, and atexit in the UNSAFEIMPORTS denylist fickle.py. Because these modules are absent from the denylist, fickling's checksafety function returns LIKELYSAFE with zero...

8.8CVSS5.8AI score0.00328EPSS
Exploits1References5
Cvelist
Cvelist
added 6 days ago33 views

CVE-2026-14534 Fickling check_safety() bypass via unlisted standard library modules (_posixsubprocess, site, atexit)

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules posixsubprocess, site, and atexit in the UNSAFEIMPORTS denylist fickle.py. Because these modules are absent from the denylist, fickling's checksafety function returns LIKELYSAFE with zero...

8.8CVSS0.00328EPSS
Exploits1References4
EUVD
EUVD
added 6 days ago9 views

EUVD-2026-41675

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules posixsubprocess, site, and atexit in the UNSAFEIMPORTS denylist fickle.py. Because these modules are absent from the denylist, fickling's checksafety function returns LIKELYSAFE with zero...

8.8CVSS5.8AI score0.00328EPSS
Exploits1References4
CVE
CVE
added 6 days ago21 views

CVE-2026-14534

The CVE-2026-14534 issue affects the Python package fickling, up to version 0.1.10. The root cause is that the UNSAFE_IMPORTS denylist omits three standard library modules — _posixsubprocess, site, and atexit — causing check_safety() to return LIKELY_SAFE and allowing pickle payloads to deseriali...

8.8CVSS5.8AI score0.00328EPSS
Exploits1References4Affected Software1
Positive Technologies
Positive Technologies
added 6 days ago14 views

PT-2026-55705

Name of the Vulnerable Software and Affected Versions Trail of Bits fickling versions prior to 0.1.12 Description An issue exists where the UnsafeImportsML analysis pass unconditionally calls the AnalysisContext.shorten codenode function on every import node. This action populates a shared...

8.8CVSS6.2AI score0.00304EPSS
Exploits1References14
Positive Technologies
Positive Technologies
added 6 days ago9 views

PT-2026-55704

Name of the Vulnerable Software and Affected Versions Trail of Bits fickling versions 0.1.10 and earlier Description An improper input validation issue exists in the denylist logic used to analyze pickle opcode imports. The UNSAFE IMPORTS denylist in fickle.py fails to include critical Python...

8.8CVSS6.2AI score0.00328EPSS
Exploits1References12
Snyk
Snyk
added 2026/03/04 9:31 p.m.3 views

Incomplete List of Disallowed Inputs

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the UNSAFEIMPORTS list. An attacker can execute arbitrary system commands by crafting a malicious pickle file that imports...

10CVSS6AI score
Exploits0References2
OSV
OSV
added 2026/03/04 9:31 p.m.9 views

GHSA-5HWF-RC88-82XM Fickling missing RCE-capable modules in UNSAFE_IMPORTS

Assessment The modules uuid, osxsupport and aixsupport were added to the blocklist of unsafe imports https://github.com/trailofbits/fickling/commit/ffac3479dbb97a7a1592d85991888562d34dd05b. Original report Summary fickling's UNSAFEIMPORTS blocklist is missing at least 3 stdlib modules that provid...

9.3CVSS6AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/04 9:31 p.m.7 views

Fickling missing RCE-capable modules in UNSAFE_IMPORTS

Assessment The modules uuid, osxsupport and aixsupport were added to the blocklist of unsafe imports https://github.com/trailofbits/fickling/commit/ffac3479dbb97a7a1592d85991888562d34dd05b. Original report Summary fickling's UNSAFEIMPORTS blocklist is missing at least 3 stdlib modules that provid...

6AI score
Exploits0References3Affected Software1
OSV
OSV
added 2026/02/20 6:24 p.m.6 views

GHSA-83PF-V6QQ-PWMR Fickling has a detection bypass via stdlib network-protocol constructors

Our assessment imtplib, imaplib, ftplib, poplib, telnetlib, and nntplib were added to the list of unsafe imports https://github.com/trailofbits/fickling/commit/6d20564d23acf14b42ec883908aed159be7b9ade. The UnusedVariables heuristic works as expected. Original report Summary Fickling's checksafety...

2.3CVSS5.9AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/02/20 6:24 p.m.11 views

Fickling has a detection bypass via stdlib network-protocol constructors

Our assessment imtplib, imaplib, ftplib, poplib, telnetlib, and nntplib were added to the list of unsafe imports https://github.com/trailofbits/fickling/commit/6d20564d23acf14b42ec883908aed159be7b9ade. The UnusedVariables heuristic works as expected. Original report Summary Fickling's checksafety...

5.8AI score
Exploits0References4Affected Software1
Veracode
Veracode
added 2026/01/20 10:2 a.m.6 views

Improper Security Checks For Unsafe Imports

Fickling is vulnerable to improper security checks for unsafe imports. The vulnerability is due to incomplete validation in the unsafeimports method of the static analyzer, which fails to flag certain high-risk Python modules, allowing an attacker to craft malicious pickle files that bypass safet...

9.3CVSS6.1AI score0.00554EPSS
Exploits1References10Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/13 10:52 p.m.6 views

CVE-2026-22609

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafeimports method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected...

9.3CVSS8.1AI score0.00554EPSS
Exploits1References1
OSV
OSV
added 2026/01/10 1:35 a.m.5 views

CVE-2026-22609 Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafeimports method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected...

9.3CVSS7.9AI score0.00554EPSS
Exploits1References8
CVE
CVE
added 2026/01/10 1:35 a.m.20 views

CVE-2026-22609

Affected software/issue: Fickling (Python pickling decompiler/static analyzer) prior to v0.1.7. Root cause: unsafe_imports() in the static analyzer fails to flag several high-risk modules, allowing malicious pickles to bypass safety checks. Impact (as stated): potential arbitrary code execution v...

9.3CVSS7.8AI score0.00554EPSS
Exploits1References6Affected Software1
Rows per page
Query Builder