Which versions of picklescan are affected by CVE-2026-3490?

picklescan, a critical validation library for Python data deserialization, cannot prevent code execution in versions before 1.0.4-publicly available exploit code exists.. A patch is available.

How to fix or mitigate CVE-2026-3490?

24 hours: Identify all systems running picklescan versions prior to 1.0.4 and classify by network exposure; immediately restrict pickle deserialization to trusted internal sources only and enforce strict input validation. 7 days: Deploy process isolation and sandboxing for remaining pickle deserialization workflows; review system and application logs for exploitation attempts; begin evaluation of alternative serialization formats. 30 days: Monitor for vendor patch release (picklescan 1.0.4 or later); conduct security assessment of affected infrastructure; plan and execute migration to alternative serialization libraries where feasible.

picklescan CVE-2026-3490

Q: What is the CVSS score of CVE-2026-3490?

CVE-2026-3490 has a CVSS 4.0 base score of 10.0 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.6%.

CRITICAL

Permissive List of Allowed Inputs (CWE-183)

2026-06-17 VulnCheck

GHSA-vvpj-8cmc-gx39

RCE Picklescan

10.0

CVSS 4.0 · Vendor: VulnCheck

Severity by source

Vendor (VulnCheck) PRIMARY

10.0 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

10.0 CRITICAL

Attacker delivers a malicious pickle over the network with no privileges or user interaction beyond the normal scan-then-load workflow; scope changes because the scanner's failure causes RCE in the consuming process, with full CIA impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

Jun 17, 2026 - 16:48 vuln.today

Analysis Generated

Jun 17, 2026 - 16:48 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

3 pypi packages depend on picklescan (3 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.0.4.

DescriptionCVE.org

picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote code execution.

AnalysisAI

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked function past its scanner using pkgutil.resolve_name as an indirection primitive. Because pkgutil.resolve_name is not on the blocklist, an attacker can chain two REDUCE opcodes to resolve and invoke os.system, builtins.exec, subprocess.call, or any other dangerous function while the scanner reports the pickle as CLEAN - a universal blocklist bypass that defeats picklescan's entire safety premise. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Craft pickle with pkgutil.resolve_name STACK_GLOBAL

Delivery

Publish artifact to model hub or repo

Exploit

Victim's pipeline runs picklescan 1.0.3 and reports CLEAN

Install

Victim torch.load or pickle.loads the artifact

First REDUCE resolves os.system reference

Execute

Second REDUCE executes attacker command

Impact

RCE in MLOps service account

Recon

Craft pickle with pkgutil.resolve_name STACK_GLOBAL

Delivery

Publish artifact to model hub or repo

Exploit

Victim's pipeline runs picklescan 1.0.3 and reports CLEAN

Install

Victim torch.load or pickle.loads the artifact

First REDUCE resolves os.system reference

Execute

Second REDUCE executes attacker command

Impact

RCE in MLOps service account

Vulnerability AssessmentAI

Exploitation	Exploitation requires that the victim run picklescan version 1.0.3 or earlier as a gating control over an attacker-controlled pickle file and then unpickle (or otherwise execute) that file after picklescan reports it clean - picklescan itself does not execute the payload, it only fails to flag it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Signals converge on a real, high-priority risk rather than a paper score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker uploads a malicious PyTorch model or pickle artifact to a public model hub; the target organization's MLOps pipeline runs picklescan 1.0.3 over the file and reports CLEAN because only pkgutil.resolve_name appears in the opcode stream. When the model is subsequently torch.loaded, the chained REDUCEs execute os.system('curl … \| sh') in the training or inference container, giving the attacker code execution under the service account - the GHSA advisory publishes the exact two-REDUCE pickle template, so adapting it requires no novel research.
Remediation	Upgrade picklescan to the vendor-released patched version 1.0.4 from PyPI (pip install --upgrade 'picklescan>=1.0.4'), which adds pkgutil.resolve_name (and related indirection primitives) to the blocklist - see https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vvpj-8cmc-gx39 for advisory details. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running picklescan versions prior to 1.0.4 and classify by network exposure; immediately restrict pickle deserialization to trusted internal sources only and enforce strict input validation. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53874 CRITICAL Act Now

9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-71320 CRITICAL Act Now

9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

CVE-2025-71321 CRITICAL Act Now

9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71323 CRITICAL Act Now

9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71325 CRITICAL Act Now

9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2026-3490 vulnerability details – vuln.today

Back

picklescan CVE-2026-3490

Severity by source

CVSS VectorVendor: VulnCheck

Lifecycle Timeline

Blast Radius

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code