Lucene search
K

7 matches found

EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2025-29398

Malicious code in bioql PyPI...

6.6AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2025/04/07 6:54 p.m.15 views

Picklescan failed to detect to some unsafe global function in Numpy library

Summary An unsafe deserialization vulnerability in Python’s pickle module allows an attacker to bypass static analysis tools like Picklescan and execute arbitrary code during deserialization. This can be exploited by import some built-in function in Numpy library that indrectly call some dangerou...

8.6AI score
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2025/03/03 6:31 p.m.18 views

Duplicate Advisory: Remote Code Execution via Malicious Pickle File Bypassing Static Analysis

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-655q-fx9r-782v. This link is maintained to preserve external references. Original Description picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that use...

9.8CVSS7AI score0.01592EPSS
Exploits2References5Affected Software1
OSV
OSV
added 2025/03/03 6:31 p.m.5 views

GHSA-VR75-HJH9-7FR6 Duplicate Advisory: Remote Code Execution via Malicious Pickle File Bypassing Static Analysis

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-655q-fx9r-782v. This link is maintained to preserve external references. Original Description picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that use...

5.3CVSS9.4AI score0.01592EPSS
Exploits2References4
OSV
OSV
added 2025/02/26 3:15 p.m.19 views

CVE-2025-1716

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package hosted, for example, on pypi.org or GitHub via pip.main. Because pip is not a restricted global, the model, when scanned with picklesca...

9.8CVSS6.8AI score0.01592EPSS
Exploits4References3
CVE
CVE
added 2025/02/26 2:51 p.m.86 views

CVE-2025-1716

CVE-2025-1716 affects picklescan later than 0.0.21; the root cause is unsafe deserialization via Python pickle, specifically calling pip.main() to install a malicious PyPI package, enabling RCE when unpickling. Exploitation could bypass static analysis, as demonstrated by the associated POC and m...

9.8CVSS6.5AI score0.01592EPSS
Exploits2References3Affected Software1
Vulnrichment
Vulnrichment
added 2025/02/26 2:51 p.m.14 views

CVE-2025-1716 picklescan - Security scanning bypass via 'pip main'

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package hosted, for example, on pypi.org or GitHub via pip.main. Because pip is not a restricted global, the model, when scanned with picklesca...

5.3CVSS6.4AI score0.01592EPSS
Exploits2References3
Rows per page
Query Builder