CVE-2026-3490
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk45th percentile — higher than 45% of all known CVEs
Summary
Picklescan versions before 1.0.4 fail to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist through indirect REDUCE calls. Attackers can invoke any blocked function, leading to remote code execution.
Risk Assessment
Organizations are at risk of remote code execution, which can lead to serious security breaches and data loss.
Recommendation
It is recommended to update Picklescan to version 1.0.4 or later to block the ability to bypass the blocklist.
Original NVD description (English source)
picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote code execution.

