Lucene search
K

24 matches found

Github Security Blog
Github Security Blog
added 2025/12/29 3:24 p.m.5 views

Picklescan has Incomplete List of Disallowed Inputs

Summary Currently picklescanner only blocks some specific functions of the pydoc and operator modules. Attackers can use other functions within these allowed modules to go through undetected and achieve RCE on the final user. Particularly pydoc.locate: Can dynamically resolve and import arbitrary...

9.8CVSS7.2AI score0.00623EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2025/12/29 3:24 p.m.1 views

GHSA-84R2-JW7C-4R5Q Picklescan has Incomplete List of Disallowed Inputs

Summary Currently picklescanner only blocks some specific functions of the pydoc and operator modules. Attackers can use other functions within these allowed modules to go through undetected and achieve RCE on the final user. Particularly pydoc.locate: Can dynamically resolve and import arbitrary...

9.3CVSS7.1AI score0.00623EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2025/12/29 12:0 a.m.10 views

PT-2026-50451

Name of the Vulnerable Software and Affected Versions picklescan versions prior to 0.0.33 Description An incomplete deny-list fails to block the pydoc.locate and operator.methodcaller functions. This allows remote attackers to bypass security checks by crafting malicious pickle files. The...

9.8CVSS6.1AI score0.00623EPSS
Exploits0References13
Hacker One
Hacker One
added 2016/08/24 3:21 p.m.22 views

Internet Bug Bounty: use of uninitialized variables in operator.methodcaller

I described this vulnerability in detail in a mail to the PSRT. A copy of my email, plus the fix for this issue, can be found here: https://bugs.python.org/issue27783...

6.8AI score
Exploits0
Rows per page
Query Builder