GHSA-5v23-73v4-w2fp

Suggest an improvement
Source
https://github.com/advisories/GHSA-5v23-73v4-w2fp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-5v23-73v4-w2fp/GHSA-5v23-73v4-w2fp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5v23-73v4-w2fp
Withdrawn
2026-06-18T14:46:10Z
Published
2026-06-17T18:35:57Z
Modified
2026-06-18T15:00:17.001354972Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
Duplicate Advisory: picklescan has Arbitrary file read using `io.FileIO`
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-9726-w42j-3qjr. This link is maintained to preserve external references.

Original Description

picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external servers.

Database specific
{
    "github_reviewed": true,
    "nvd_published_at": "2026-06-17T17:17:25Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed_at": "2026-06-18T14:46:10Z"
}
References

Affected packages

PyPI / picklescan

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.35

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.20
0.0.21
0.0.22
0.0.23
0.0.24
0.0.25
0.0.26
0.0.27
0.0.28
0.0.29
0.0.30
0.0.31
0.0.32
0.0.33
0.0.34

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-5v23-73v4-w2fp/GHSA-5v23-73v4-w2fp.json"