CVE-2026-3490

Source
https://cve.org/CVERecord?id=CVE-2026-3490
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3490.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-3490
Aliases
Published
2026-06-17T15:05:01.522Z
Modified
2026-07-08T07:32:35.439552887Z
Severity
  • 10.0 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
picklescan - Universal Blocklist Bypass via pkgutil.resolve_name
Details

picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote code execution.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/3xxx/CVE-2026-3490.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-183"
    ]
}
References

Affected packages

Git / github.com/mmaitre314/picklescan

Affected ranges

Type
GIT
Repo
https://github.com/mmaitre314/picklescan
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.0.4"
        }
    ]
}

Affected versions

v0.*
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.29
v0.0.3
v0.0.30
v0.0.31
v0.0.32
v0.0.33
v0.0.34
v0.0.35
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v1.*
v1.0.0
v1.0.1
v1.0.2
v1.0.3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-3490.json"