CVE-2026-53873

CRITICAL NVD

CVSS Score 9.8

Severity CRITICAL

Published Jun 17, 2026

Vendor unknown

Description

picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitrary Python code while picklescan reports zero security issues.

References

https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7wx9-6375-f5wh
https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-profile-run-blocklist-bypass
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-7wx9-6375-f5wh