Skip to main content

picklescan CVE-2026-53874

CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-17 VulnCheck
Deserialization RCE Picklescan
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.6 CRITICAL

Network-delivered malicious pickle reaches the victim with low complexity and no auth, but a user/process must load the pickle (UI:R); scope changes because picklescan's verdict is consumed by another component, and impact is full RCE.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 16:51 vuln.today
Analysis Generated
Jun 17, 2026 - 16:51 vuln.today

DescriptionCVE.org

picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources.

AnalysisAI

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle detection by obfuscating eval calls nested under callable objects via getattr, causing the very tool intended to detect malicious pickles to miss them. Publicly available exploit code exists via the GHSA advisory PoC, though no public exploit identified at time of analysis as actively used in attacks; the CVSS 4.0 score of 9.3 reflects unauthenticated network-reachable impact on confidentiality, integrity, and availability.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft pickle with getattr-wrapped eval in __reduce__
Delivery
Publish to model hub or supply to victim
Exploit
picklescan < 1.0.1 returns clean verdict
Execution
Victim calls pickle.load on trusted file
Persist
eval executes embedded OS command
Impact
RCE under victim process privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim system (1) uses picklescan < 1.0.1 as a pre-load safety check and trusts a clean verdict, AND (2) subsequently deserializes the scanned pickle file via pickle.load/pickle.loads or an equivalent (torch.load, joblib.load) from an untrusted source. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N with VC:H/VI:H/VA:H accurately captures the worst-case scenario: any pickle file loaded from an untrusted source after passing through picklescan can yield full RCE, and exploitation is trivial given the published PoC. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads a malicious PyTorch checkpoint or sklearn .pkl to a public model hub with a __reduce__ method returning an obfuscated_eval staticmethod that internally calls getattr(builtins, 'eval')(payload). A victim organization's CI pipeline runs picklescan as a safety gate, the scanner reports the file as clean because no direct eval/exec/os reference appears, and when a downstream service later calls pickle.load() the payload executes arbitrary OS commands under the service account; publicly available exploit code exists in the GHSA advisory.
Remediation Vendor-released patch: upgrade picklescan to version 1.0.1 or later via pip (pip install --upgrade picklescan>=1.0.1); the fix landed in PR https://github.com/mmaitre314/picklescan/pull/59 and commit 173c8f2a869ea9b69b543477525ec70611c3c6f4. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all systems running picklescan < 1.0.1 and restrict network access to pickle processing endpoints; disable pickle deserialization where operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio
CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de
CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di
CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s
CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

Share

CVE-2026-53874 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy