CVE-2026-53872

HIGH NVD

CVSS Score 7.5

Severity HIGH

Published Jun 17, 2026

Vendor unknown

Description

picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external servers.

References

https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9726-w42j-3qjr
https://www.vulncheck.com/advisories/picklescan-arbitrary-file-read-via-unsafe-pickle-deserialization
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9726-w42j-3qjr