CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2026-53874 — picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowin...

·Source: NIST NVD

Updated:

Executive Summary

picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources.

Analysis

picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources. CVSS Score: 9.8. Published: 2026-06-17T17:17:25.733.

Indicators of Compromise (1)

CVE (1)
CVE-2026-53874
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on Jun 17, 2026. Verified by: NIST.

Related Threats

CRITICALVulnerabilityNEW

Hostile states behind three-quarters of attacks on Britain's critical infrastructure, cyber chief warns

NCSC CEO Richard Horne warned that “kinetic targeting in any conflict tomorrow will be based on intelligence gathered today” and that nation-state adversaries were “prepositioning” throughout British critical infrastructure.

The Record
CRITICALVulnerability

NVD CRITICAL: CVE-2026-53873 — picklescan before 1.0.4 contains an incomplete blocklist for the profile module ...

picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitrary Python code while picklescan reports zero security issues.

CVE-2026-53873
NIST NVD
CRITICALVulnerability

NVD CRITICAL: CVE-2026-3490 — picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers ...

picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote code execution.

CVE-2026-3490
NIST NVD