CVE-2026-56315

Sažetak

picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib) exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked modules to achieve remote code execution while bypassing picklescan's safety validation entirely.

Reference

https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g38g-8gr9-h9xp
https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-unblocked-standard-library-modules
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g38g-8gr9-h9xp

CVSS

Base:	9.8
Impact:	5.9
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

23-06-2026 - 14:52

Objavljeno

23-06-2026 - 13:16