Lucene search
K

9 matches found

NVD
NVD
added 2026/06/17 5:16 p.m.9 views

CVE-2025-71320

picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when...

9.8CVSS0.00623EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/17 3:4 p.m.17 views

CVE-2025-71320 picklescan - Remote Code Execution via Incomplete Disallowed Inputs

picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when...

9.8CVSS0.00623EPSS
Exploits0References2
CVE
CVE
added 2026/06/17 3:4 p.m.24 views

CVE-2025-71320

The CVE identifies a vulnerability in picklescan prior to 0.0.33, where an incomplete deny-list fails to block pydoc.locate and operator.methodcaller. This allows remote attackers to craft malicious pickle files that, when deserialized, yield arbitrary code execution. The issue is tied to deseria...

9.8CVSS6.1AI score0.00623EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/17 3:4 p.m.9 views

EUVD-2025-210267

picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when...

9.8CVSS6.1AI score0.00623EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/01/13 10:52 p.m.4 views

CVE-2026-22608

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, both ctypes and pydoc modules aren't explicitly blocked. Even other existing pickle scanning tools like picklescan do not block pydoc.locate. Chaining these two together can achieve RCE while the scanner still...

9.3CVSS6.8AI score0.00346EPSS
Exploits0References1
OSV
OSV
added 2026/01/10 1:35 a.m.6 views

CVE-2026-22608 Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, both ctypes and pydoc modules aren't explicitly blocked. Even other existing pickle scanning tools like picklescan do not block pydoc.locate. Chaining these two together can achieve RCE while the scanner still...

9.3CVSS6.7AI score0.00346EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2025/12/29 3:24 p.m.5 views

Picklescan has Incomplete List of Disallowed Inputs

Summary Currently picklescanner only blocks some specific functions of the pydoc and operator modules. Attackers can use other functions within these allowed modules to go through undetected and achieve RCE on the final user. Particularly pydoc.locate: Can dynamically resolve and import arbitrary...

9.8CVSS7.2AI score0.00623EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2025/12/29 3:24 p.m.1 views

GHSA-84R2-JW7C-4R5Q Picklescan has Incomplete List of Disallowed Inputs

Summary Currently picklescanner only blocks some specific functions of the pydoc and operator modules. Attackers can use other functions within these allowed modules to go through undetected and achieve RCE on the final user. Particularly pydoc.locate: Can dynamically resolve and import arbitrary...

9.3CVSS7.1AI score0.00623EPSS
Exploits0References7
Positive Technologies
Positive Technologies
added 2025/12/29 12:0 a.m.11 views

PT-2026-50451

Name of the Vulnerable Software and Affected Versions picklescan versions prior to 0.0.33 Description An incomplete deny-list fails to block the pydoc.locate and operator.methodcaller functions. This allows remote attackers to bypass security checks by crafting malicious pickle files. The...

9.8CVSS6.6AI score0.00623EPSS
Exploits0References13
Rows per page
Query Builder