CVE-2026-53874
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk40th percentile — higher than 40% of all known CVEs
Summary
Picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources.
Risk Assessment
Organizations may be exposed to arbitrary code execution by unauthenticated users, potentially leading to serious security breaches and data loss.
Recommendation
It is recommended to upgrade to version 1.0.1 or later to mitigate this vulnerability and implement strict controls regarding the sources of pickle files.
Original NVD description (English source)
picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources.

