Description
picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote code execution.
Published: 2026-06-17
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in picklescan occurs because the program fails to block calls to pkgutil.resolve_name in versions prior to 1.0.4. This omission allows an attacker to resolve dangerous built‑in functions such as os.system, builtins.exec, or subprocess.call through indirect REDUCE calls, thereby bypassing the entire blocklist. Executing any of these functions grants the attacker full remote code execution capabilities on the host running picklescan.

Affected Systems

Any installation of the picklescan library released by mmaitre314 that is earlier than version 1.0.4 is affected. This includes v1.0.3 and all prior releases of the package.

Risk and Exploitability

The CVSS score of 10 classifies the flaw as critical. The EPSS score of <1 % suggests low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker would need to supply malicious input to picklescan’s processing functions, which then use pkgutil.resolve_name to resolve dangerous built‑in functions such as os.system or builtins.exec. The likely attack vector is through untrusted user input analyzed by picklescan. The risk is high for deployments that expose picklescan to external users or allow untrusted code, as execution of the resolved functions grants remote code execution.

Generated by OpenCVE AI on June 18, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade picklescan to release 1.0.4 or later, where the resolve_name usage is removed from the blocklist logic.
  • If upgrading is not immediately possible, patch the local install to delete or disable any calls to pkgutil.resolve_name, ensuring that no untrusted input can trigger the function resolution.
  • Deploy picklescan within a restricted sandbox or restrict the execution of privileged functions such as os.system, builtins.exec, and subprocess.call to reduce the potential impact of any residual exploitation.

Generated by OpenCVE AI on June 18, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vvpj-8cmc-gx39 PickleScan's pkgutil.resolve_name has a universal blocklist bypass
History

Thu, 18 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote code execution.
Title picklescan - Universal Blocklist Bypass via pkgutil.resolve_name
First Time appeared Mmaitre314
Mmaitre314 picklescan
Weaknesses CWE-183
CPEs cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*
Vendors & Products Mmaitre314
Mmaitre314 picklescan
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Mmaitre314 Picklescan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-18T15:23:36.077Z

Reserved: 2026-03-03T16:11:38.661Z

Link: CVE-2026-3490

cve-icon Vulnrichment

Updated: 2026-06-18T15:22:54.944Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:15:04Z

Weaknesses
  • CWE-183

    Permissive List of Allowed Inputs