CVE-2026-53872

Source
https://cve.org/CVERecord?id=CVE-2026-53872
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53872.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53872
Aliases
Published
2026-06-17T15:05:02.203Z
Modified
2026-07-08T08:11:31.424381874Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
picklescan - Arbitrary File Read via Unsafe Pickle Deserialization
Details

picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external servers.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53872.json",
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/mmaitre314/picklescan

Affected ranges

Type
GIT
Repo
https://github.com/mmaitre314/picklescan
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.0.35"
        }
    ]
}

Affected versions

v0.*
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.29
v0.0.3
v0.0.30
v0.0.31
v0.0.32
v0.0.33
v0.0.34
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53872.json"