Total CVEs

143,126

Critical Severity

4,045

High Severity

14,563

Last 7 Days

1,271
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 41 - 51 of 51 CVEs

picklescan before 1.0.3 contains a scanning bypass vulnerability in the scan_pytorch function that allows attackers to embed malicious magic numbers via dynamic eval using the __reduce__ trick. Attackers can craft malicious PyTorch payloads that evade picklescan detection while remaining executable,...

Vendor: picklescan
Product: picklescan
Published: Jun 17, 2026
Source: NVD
CVE-2026-53874 CRITICAL - 9.8

picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is l...

Vendor: picklescan
Product: picklescan
Published: Jun 17, 2026
Source: NVD
CVE-2026-53873 CRITICAL - 9.8

picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitra...

Vendor: picklescan
Product: picklescan
Published: Jun 17, 2026
Source: NVD
CVE-2026-53872 HIGH - 7.5

picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external s...

Vendor: picklescan
Product: picklescan
Published: Jun 17, 2026
Source: NVD
CVE-2026-3490 CRITICAL - 10.0

picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote co...

Published: Jun 17, 2026
Source: NVD
CVE-2025-71325 CRITICAL - 9.8

picklescan before 0.0.27 contains a parsing logic error in the _list_globals function when handling STACK_GLOBAL opcodes, failing to track arguments in the correct range and allowing malicious pickle files to bypass detection. Attackers can craft pickle files with arguments at position zero to trigg...

Vendor: picklescan
Product: picklescan
Published: Jun 17, 2026
Source: NVD
CVE-2025-71323 CRITICAL - 9.8

picklescan before 0.0.33 fails to block the ctypes module, allowing attackers to achieve remote code execution by invoking direct syscalls and accessing raw memory. Attackers can craft malicious pickle files using ctypes.WinDLL to load kernel32.dll and execute arbitrary commands, bypassing sandbox p...

Vendor: picklescan
Product: picklescan
Published: Jun 17, 2026
Source: NVD
CVE-2025-71322 HIGH - 8.8

PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan.

Vendor: PickleScan
Product: PickleScan
Published: Jun 17, 2026
Source: NVD
CVE-2025-71321 CRITICAL - 9.8

picklescan before 0.0.33 contains an arbitrary file writing vulnerability that allows attackers to bypass the dangerous blocklist by using distutils.file_util.write_file. Attackers can construct malicious pickle objects to overwrite critical system files and achieve denial of service or remote code ...

Vendor: picklescan
Product: picklescan
Published: Jun 17, 2026
Source: NVD
CVE-2025-71320 CRITICAL - 9.8

picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when the...

Vendor: picklescan
Product: picklescan
Published: Jun 17, 2026
Source: NVD
CVE-2026-22608 HIGH - 7.8

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, both ctypes and pydoc modules aren't explicitly blocked. Even other existing pickle scanning tools (like picklescan) do not block pydoc.locate. Chaining these two together can achieve RCE while the scanner sti...

Vendor: trailofbits
Product: fickling
Published: Jan 10, 2026
Source: NVD