CVE-2026-53872
Received Received - Intake
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: VulnCheck

Description
picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external servers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-53872
EUVD
EUVD-2026-37738
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53872 is a high-severity vulnerability in picklescan versions before 0.0.35 caused by unsafe pickle deserialization.

This flaw allows unauthenticated attackers to read arbitrary files on the server by chaining io.FileIO and urllib.request.urlopen during the unpickling process.

Attackers can bypass Remote Code Execution (RCE) focused blocklists and exfiltrate sensitive data, such as the /etc/passwd file, to external servers.

Impact Analysis

This vulnerability allows attackers to read arbitrary files on the affected server without authentication.

Sensitive data, including critical system files like /etc/passwd, can be exfiltrated to external servers.

The ability to bypass RCE blocklists increases the risk of data exposure and potential further exploitation.

Detection Guidance

Detection of this vulnerability involves monitoring for unusual pickle deserialization activities that chain io.FileIO and urllib.request.urlopen, which attackers use to read arbitrary files and exfiltrate data.

Network detection can focus on identifying outbound requests to suspicious external servers that may be receiving exfiltrated data, such as contents of /etc/passwd.

On the system, commands to check for vulnerable picklescan versions and suspicious pickle deserialization could include:

  • Check picklescan version: `pip show picklescan` or `pip list | grep picklescan`
  • Search for pickle deserialization usage in code: `grep -r 'pickle.load' /path/to/code`
  • Monitor network connections for unusual outbound HTTP requests: `netstat -anp | grep ESTABLISHED` or use packet capture tools like `tcpdump` or `Wireshark` filtering for HTTP traffic to unknown external IPs.
  • Inspect logs for unexpected file reads or URL requests during unpickling operations.
Mitigation Strategies

The primary mitigation step is to upgrade picklescan to version 0.0.35 or later, where this unsafe pickle deserialization vulnerability has been fixed.

Additionally, restrict or monitor untrusted pickle data inputs to prevent deserialization of malicious payloads.

Implement network egress filtering to block unauthorized outbound connections that could be used for data exfiltration.

Review and harden application code to avoid unsafe deserialization patterns and consider using safer serialization formats.

Compliance Impact

This vulnerability allows unauthenticated attackers to read arbitrary server files and exfiltrate sensitive data such as /etc/passwd to external servers.

Exfiltration of sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and disclosure.

Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to unauthorized data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53872. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart