Lucene search
K

17 matches found

ATTACKERKB
ATTACKERKB
added 2026/06/20 3:24 p.m.6 views

CVE-2026-56304

picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to create arbitrary zero-byte files via logging.FileHandler class instantiation. Attackers can exploit this by crafting malicious pickle payloads to bypass RCE blocklists and create...

6.9CVSS6AI score0.00288EPSS
Exploits1References3
EUVD
EUVD
added 2026/06/20 3:24 p.m.9 views

EUVD-2026-38123

picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to create arbitrary zero-byte files via logging.FileHandler class instantiation. Attackers can exploit this by crafting malicious pickle payloads to bypass RCE blocklists and create...

6.9CVSS6AI score0.00288EPSS
Exploits1References2
CVE
CVE
added 2026/06/20 3:24 p.m.20 views

CVE-2026-56304

CVE-2026-56304 affects picklescan versions before 1.0.1. The flaw is an unsafe pickle deserialization through the logging.FileHandler class, allowing unauthenticated attackers to craft malicious pickle payloads to create arbitrary zero-byte files. This can bypass RCE blocklists and lead to filesy...

6.9CVSS6AI score0.00288EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/06/17 3:5 p.m.19 views

CVE-2026-53872 picklescan - Arbitrary File Read via Unsafe Pickle Deserialization

picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to externa...

8.7CVSS0.00509EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/17 3:5 p.m.8 views

EUVD-2026-37738

picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to externa...

8.7CVSS5.6AI score0.00509EPSS
Exploits0References2
CVE
CVE
added 2026/05/29 2:29 p.m.25 views

CVE-2026-10042

The CVE-2026-10042 issue affects manga-image-translator, specifically the share.py module of the shared API server. It enables remote code execution through unsafe deserialization of attacker-controlled pickle data in the /execute/{method_name} and /simple_execute/{method_name} endpoints, which c...

9.8CVSS6.7AI score0.00622EPSS
Exploits0References4
The Hacker News
The Hacker News
added 2026/04/28 11:18 a.m.13 views

Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

Cybersecurity researchers have disclosed details of a critical security flaw impacting LeRobot, Hugging Face's open-source robotics platform with nearly 24,000 GitHub stars, that could be exploited to achieve remote code execution. The vulnerability in question is CVE-2026-25874 CVSS score: 9.3,...

9.3CVSS7.4AI score0.15547EPSS
Exploits1
CERT
CERT
added 2026/03/12 12:0 a.m.9 views

SGLang (sglang) is vulnerable to code execution attacks via unsafe pickle deserialization

Overview Two unsafe pickle deserialization vulnerabilities have been discovered in the SGLang open-source project, one within the tool's multimodal generation module and another within the Encoder Parallel Disaggregation system. SGLang is a serving framework for large language models LLMs and...

9.8CVSS7.5AI score0.01534EPSS
Exploits2References10
OSV
OSV
added 2026/03/09 12:31 p.m.7 views

GHSA-9R5J-7R2X-RV4G Apache Airflow Providers Http has Unsafe Pickle Deserializatio leading to RCE via HttpOperator

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low...

8.8CVSS5.9AI score0.00695EPSS
Exploits1References6
Vulnrichment
Vulnrichment
added 2026/03/09 10:19 a.m.2 views

CVE-2025-69219 Apache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low...

5.9AI score0.00695EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/09 10:19 a.m.29 views

CVE-2025-69219 Apache Airflow Providers Http: Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low...

0.00695EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/08 12:0 a.m.7 views

PT-2026-24022

Name of the Vulnerable Software and Affected Versions Apache Airflow Providers Http versions prior to 6.0.0 Description A user with database access can create a malicious database entry that executes code on the Triggerer, granting them the same permissions as a Dag Author. Direct database access...

9CVSS5.9AI score0.00695EPSS
Exploits1References19
GithubExploit
GithubExploit
added 2026/02/12 3:39 a.m.164 views

Exploit for CVE-2026-26215

CVE-2026-26215 - manga-image-translator Pickle Deserialization...

9.3CVSS6.7AI score0.00923EPSS
Exploits1
Positive Technologies
Positive Technologies
added 2026/01/08 12:0 a.m.7 views

PT-2026-3411

Summary Unsafe pickle deserialization allows unauthenticated attackers to read arbitrary server files and perform SSRF. By chaining io.FileIO and urllib.request.urlopen, an attacker can bypass RCE-focused blocklists to exfiltrate sensitive data example: /etc/passwd to an external server. Details...

9.3CVSS6.9AI score
Exploits0References6
OSV
OSV
added 2025/10/22 4:45 p.m.4 views

GHSA-CQ46-M9X9-J8W2 Scapy Session Loading Vulnerable to Arbitrary Code Execution via Untrusted Pickle Deserialization

Summary An unsafe deserialization vulnerability in Scapy Internally, this triggers: python main.py SESSION = pickle.loadgzip.opensessionname, "rb" Since no validation or restriction is performed on the deserialized object, any code embedded via reduce will be executed immediately. This makes it...

5.4CVSS6.2AI score
Exploits0References3
Vulnrichment
Vulnrichment
added 2025/09/08 11:42 p.m.4 views

CVE-2025-58757 MONAI's unsafe use of Pickle deserialization may lead to RCE

MONAI Medical Open Network for AI is an AI toolkit for health care imaging. In versions up to and including 1.5.0, the pickleoperations function in monai/data/utils.py automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using pickle.loads . This...

8.8CVSS6.9AI score0.00602EPSS
Exploits1References1
CVE
CVE
added 2025/09/05 9:52 p.m.76 views

CVE-2025-58367

CVE-2025-58367 affects the Python package DeepDiff (versions 5.0.0–8.6.0). The vulnerability arises from class pollution in the Delta class constructor and a gadget in DeltaDiff that lets an attacker modify deepdiff.serialization.SAFE_TO_IMPORT to permit dangerous classes (e.g., posix.system), en...

10CVSS7.2AI score0.01056EPSS
Exploits0References3
Rows per page
Query Builder