Description
picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external servers.
Published: 2026-06-17
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from unsafe deserialization of Python pickle data in picklescan versions prior to 0.0.35, allowing attackers to trigger the loading of arbitrary files by chaining io.FileIO with urllib.request.urlopen. This can result in sensitive data such as /etc/passwd being read and exfiltrated to an external server. The weakness is a classic path traversal and insecure deserialization flaw identified as CWE-22.

Affected Systems

The flaw affects the picklescan application developed by mmaitre314, any installation running version 0.0.34 or earlier, regardless of deployment environment.

Risk and Exploitability

The CVSS score of 8.7 marks this as a high‑severity issue, while the EPSS score is less than 1% indicating a low but nonzero likelihood of exploitation. The vulnerability can be triggered by unauthenticated attackers who can supply malicious pickle payloads to an exposed endpoint. If the application is reachable from untrusted networks, the attacker can read any file accessible to the process and transmit it externally, thereby compromising confidentiality. The flaw is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 18, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to picklescan version 0.0.35 or later, which removes the unsafe deserialization code.
  • If an upgrade is not immediately feasible, limit the exposure of endpoints that accept pickle data to authenticated, trusted users and enforce strict input validation to prevent arbitrary file access.
  • Configure the runtime environment to deny the use of urllib.request.urlopen within any deserialization context, or isolate the deserialization process in a sandbox that only permits reads of known safe files.
  • Continuously audit application logs for unexpected pickle loading and file read activity, and set up alerts for anomalous behavior.

Generated by OpenCVE AI on June 18, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9726-w42j-3qjr picklescan has Arbitrary file read using `io.FileIO`
History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external servers.
Title picklescan - Arbitrary File Read via Unsafe Pickle Deserialization
First Time appeared Mmaitre314
Mmaitre314 picklescan
Weaknesses CWE-22
CPEs cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*
Vendors & Products Mmaitre314
Mmaitre314 picklescan
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Mmaitre314 Picklescan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-17T17:36:17.833Z

Reserved: 2026-06-10T21:23:54.283Z

Link: CVE-2026-53872

cve-icon Vulnrichment

Updated: 2026-06-17T17:34:29.859Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T23:15:04Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')