The vulnerability in picklescan occurs because the profile module implements an incomplete blocklist that does not prevent execution of the module‑level profile.run() function, which internally calls exec(). Attackers can craft a malicious pickle file that passes through the profile.run() call and causes arbitrary Python code to run, potentially compromising the host, all without any picklescan error reporting. This bug represents a classic code injection flaw identified as CWE‑184.

All versions of the picklescan tool prior to 1.0.4 are affected. The vulnerability exists in picklescan 1.0.3 and older releases, which are still widely deployed in various data‑analysis and security‑testing pipelines. Users should verify that they are not running an older release of picklescan.

The CVSS score of 9.3 indicates high severity, while the EPSS score of less than 1% signals a very low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited public exploitation. Based on the description, the likely attack vector is local or remote file ingestion: an attacker who can supply a malicious pickle file to picklescan, for example via a web interface or shared directory, can trigger the bypass and execute arbitrary code. The attacker does not need to bypass standard blocklists because the profile.run() function remains accessible, giving the attacker complete control over the executed payload.