Lucene search
K

97 matches found

RedhatCVE
RedhatCVE
added 2026/07/07 3:16 p.m.5 views

CVE-2026-14535

A flaw was found in the fickling library, versions up to and including 0.1.11. A logic error in the security analysis passes allows an attacker to bypass intended safety checks during pickle deserialization. This vulnerability enables the invocation of arbitrary standard library modules, leading ...

9.8CVSS6AI score0.00321EPSS
Exploits1References7
RedhatCVE
RedhatCVE
added 2026/07/07 3:16 p.m.4 views

CVE-2026-14534

A flaw was found in the fickling library, which is designed to safely handle Python pickle data. The library's security checks in versions up to and including 0.1.10 fail to properly identify and block certain dangerous Python standard library modules during deserialization. This oversight allows...

8.8CVSS6.2AI score0.00342EPSS
Exploits1References7
Snyk
Snyk
added 2026/07/04 3:15 p.m.7 views

Protection Mechanism Failure

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Protection Mechanism Failure due to shared mutable state in the shortencode function. An attacker can execute arbitrary code by providing a malicious pickle payload...

9.8CVSS6.3AI score0.00321EPSS
Exploits1References2
Snyk
Snyk
added 2026/07/04 3:14 p.m.6 views

Incomplete List of Disallowed Inputs

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs via the checksafety function. An attacker can execute arbitrary code by crafting pickle payloads that import unlisted standard...

8.8CVSS6.4AI score0.00342EPSS
Exploits1References2
NVD
NVD
added 2026/07/04 2:16 p.m.8 views

CVE-2026-14534

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules posixsubprocess, site, and atexit in the UNSAFEIMPORTS denylist fickle.py. Because these modules are absent from the denylist, fickling's checksafety function returns LIKELYSAFE with zero...

8.8CVSS0.00342EPSS
Exploits1References4
CVE
CVE
added 2026/07/04 1:31 p.m.23 views

CVE-2026-14535

Summary: CVE-2026-14535 affects Trail of Bits fickling up to version 0.1.11. A logic error in the UnsafeImportsML and MLAllowlist passes causes shared mutable state (AnalysisContext.reported_shortened_code) to poison deduplication, rendering MLAllowlist dead code and allowing certain pickle paylo...

9.8CVSS5.9AI score0.00321EPSS
Exploits1References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/04 1:25 p.m.8 views

CVE-2026-14534

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules posixsubprocess, site, and atexit in the UNSAFEIMPORTS denylist fickle.py. Because these modules are absent from the denylist, fickling's checksafety function returns LIKELYSAFE with zero...

8.8CVSS5.8AI score0.00342EPSS
Exploits1References5
Cvelist
Cvelist
added 2026/07/04 1:25 p.m.34 views

CVE-2026-14534 Fickling check_safety() bypass via unlisted standard library modules (_posixsubprocess, site, atexit)

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules posixsubprocess, site, and atexit in the UNSAFEIMPORTS denylist fickle.py. Because these modules are absent from the denylist, fickling's checksafety function returns LIKELYSAFE with zero...

8.8CVSS0.00342EPSS
Exploits1References4
OSV
OSV
added 2026/07/04 1:25 p.m.5 views

CVE-2026-14534 Fickling check_safety() bypass via unlisted standard library modules (_posixsubprocess, site, atexit)

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules posixsubprocess, site, and atexit in the UNSAFEIMPORTS denylist fickle.py. Because these modules are absent from the denylist, fickling's checksafety function returns LIKELYSAFE with zero...

8.8CVSS5.8AI score0.00342EPSS
Exploits1References7
CVE
CVE
added 2026/07/04 1:25 p.m.29 views

CVE-2026-14534

The CVE-2026-14534 issue affects the Python package fickling, up to version 0.1.10. The root cause is that the UNSAFE_IMPORTS denylist omits three standard library modules — _posixsubprocess, site, and atexit — causing check_safety() to return LIKELY_SAFE and allowing pickle payloads to deseriali...

8.8CVSS5.8AI score0.00342EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/13 8:58 p.m.3 views

GHSA-5CXW-W2XG-2M8H fickling's `platform` module subprocess invocation evades `check_safety()` with `LIKELY_SAFE`

Our assessment We added platform to the blocklist of unsafe modules https://github.com/trailofbits/fickling/commit/351ed4d4242b447c0ffd550bb66b40695f3f9975. It was not possible to inject extra arguments to file without first monkey-patching platform.followsymlinks with the pickle, as it always...

6.9CVSS6AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/13 8:58 p.m.14 views

fickling's `platform` module subprocess invocation evades `check_safety()` with `LIKELY_SAFE`

Our assessment We added platform to the blocklist of unsafe modules https://github.com/trailofbits/fickling/commit/351ed4d4242b447c0ffd550bb66b40695f3f9975. It was not possible to inject extra arguments to file without first monkey-patching platform.followsymlinks with the pickle, as it always...

6AI score
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/13 8:57 p.m.10 views

fickling modules linecache, difflib and gc are missing from the unsafe modules blocklist

Our analysis As stated in the project's security policy, we also don't consider UnusedVariables bypasses to be security issues. We added several unsafe modules mentioned by the reporter in advisory comments to the blocklist...

6.2AI score
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/03/04 9:31 p.m.3 views

Incomplete List of Disallowed Inputs

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the UNSAFEIMPORTS list. An attacker can execute arbitrary system commands by crafting a malicious pickle file that imports...

10CVSS6AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/04 9:31 p.m.10 views

Fickling missing RCE-capable modules in UNSAFE_IMPORTS

Assessment The modules uuid, osxsupport and aixsupport were added to the blocklist of unsafe imports https://github.com/trailofbits/fickling/commit/ffac3479dbb97a7a1592d85991888562d34dd05b. Original report Summary fickling's UNSAFEIMPORTS blocklist is missing at least 3 stdlib modules that provid...

6AI score
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/04 9:31 p.m.10 views

GHSA-5HWF-RC88-82XM Fickling missing RCE-capable modules in UNSAFE_IMPORTS

Assessment The modules uuid, osxsupport and aixsupport were added to the blocklist of unsafe imports https://github.com/trailofbits/fickling/commit/ffac3479dbb97a7a1592d85991888562d34dd05b. Original report Summary fickling's UNSAFEIMPORTS blocklist is missing at least 3 stdlib modules that provid...

9.3CVSS6AI score
Exploits0References3
Snyk
Snyk
added 2026/03/04 9:30 p.m.2 views

Improperly Implemented Security Check for Standard

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard in the alwayschecksafety function. An attacker can execute arbitrary code by supplying a malicious pickle payload...

10CVSS6.1AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/04 9:30 p.m.11 views

Fickling has `always_check_safety()` bypass: pickle.loads and _pickle.loads remain unhooked

Assessment The missing pickle entrypoints pickle.loads, pickle.loads, and pickle.load were added to the hook https://github.com/trailofbits/fickling/commit/8c24c6edabceab156cfd41f4d70b650e1cdad1f7. Original report Summary fickling.alwayschecksafety does not hook all pickle entry points...

6.1AI score
Exploits0References4Affected Software1
OSV
OSV
added 2026/03/04 9:30 p.m.5 views

GHSA-WCCX-J62J-R448 Fickling has `always_check_safety()` bypass: pickle.loads and _pickle.loads remain unhooked

Assessment The missing pickle entrypoints pickle.loads, pickle.loads, and pickle.load were added to the hook https://github.com/trailofbits/fickling/commit/8c24c6edabceab156cfd41f4d70b650e1cdad1f7. Original report Summary fickling.alwayschecksafety does not hook all pickle entry points...

9.3CVSS6.1AI score
Exploits0References4
Snyk
Snyk
added 2026/02/25 3:24 p.m.4 views

Incomplete List of Disallowed Inputs

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the islikelysafe, checksafety, --check-safety, alwayschecksafety and checksafety interfaces. An attacker can execute arbitra...

5.3CVSS6.1AI score
Exploits0References2
Rows per page
Query Builder