Description
picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to create arbitrary zero-byte files via logging.FileHandler class instantiation. Attackers can exploit this by crafting malicious pickle payloads to bypass RCE blocklists and create lock files or other filesystem artifacts, potentially causing denial of service or application disruption.
Published: 2026-06-20
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from unsafe deserialization of Python pickle objects in picklescan prior to version 1.0.1. An unauthenticated attacker can send a crafted pickle payload that exploits the logging.FileHandler class constructor. This enables the creation of zero‑byte files such as lock files or other filesystem artifacts. The impact is the disruption of application functionality or denial of service through the manipulation of critical files, consistent with CWE‑502.

Affected Systems

Picklescan manually distributed by mmaitre314. Versions earlier than 1.0.1 are affected. The specific software identified by the CNA is picklescan:picklescan.

Risk and Exploitability

The CVSS score is 6.9, indicating a moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers require only the ability to supply a pickle payload to the application, which is generally feasible from an unauthenticated standpoint. There is no mention of remote code execution or elevated privileges, but the ability to create arbitrary filesystem objects poses a significant operational risk.

Generated by OpenCVE AI on June 20, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update picklescan to version 1.0.1 or later, which removes the vulnerable deserialization path.
  • Audit application code to ensure untrusted pickle data is no longer processed; consider replacing logging.FileHandler with a secure logging implementation.
  • After patching, monitor the filesystem for any abnormal file creation events and verify that the application functions correctly.

Generated by OpenCVE AI on June 20, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 20 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Description picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to create arbitrary zero-byte files via logging.FileHandler class instantiation. Attackers can exploit this by crafting malicious pickle payloads to bypass RCE blocklists and create lock files or other filesystem artifacts, potentially causing denial of service or application disruption.
Title picklescan - Arbitrary File Creation via logging.FileHandler Deserialization
First Time appeared Mmaitre314
Mmaitre314 picklescan
Weaknesses CWE-502
CPEs cpe:2.3:a:mmaitre314:picklescan:*:*:*:*:*:*:*:*
Vendors & Products Mmaitre314
Mmaitre314 picklescan
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Mmaitre314 Picklescan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-20T15:24:46.782Z

Reserved: 2026-06-20T12:53:19.893Z

Link: CVE-2026-56304

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T17:30:08Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data