CVE Catalog

CVE-2026-53872

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Summary

Picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen.

Risk Assessment

Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external servers.

Recommendation

It is recommended to update picklescan to version 0.0.35 or later to mitigate this vulnerability.

Original NVD description (English source)

picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external servers.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS