CVE-2026-53874
Received Received - Intake
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: VulnCheck

Description
picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-53874
EUVD
EUVD-2026-37740
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
picklescan picklescan to 1.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated users to execute arbitrary code by exploiting unsafe deserialization in picklescan, which can lead to unauthorized access or manipulation of data.

Such unauthorized code execution and potential data compromise can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data and ensuring system integrity.

Specifically, the risk of executing malicious code from untrusted sources may lead to breaches of confidentiality, integrity, and availability of data, which are core principles in these regulations.

Executive Summary

This vulnerability exists in picklescan versions before 1.0.1 and involves unsafe deserialization of pickle files.

Attackers can embed malicious code inside pickle files by hiding eval calls nested under callable objects using getattr, which bypasses detection mechanisms.

When picklescan loads these malicious pickle files from untrusted sources, the hidden code executes, allowing unauthenticated users to run arbitrary code.

Impact Analysis

This vulnerability allows unauthenticated attackers to execute arbitrary code on systems using vulnerable versions of picklescan.

Because the malicious code is hidden and evades detection, it poses a significant supply chain risk for any system relying on picklescan to scan untrusted pickle files.

Successful exploitation can lead to full system compromise, data loss, or unauthorized control over affected systems.

Detection Guidance

This vulnerability involves unsafe deserialization of pickle files with obfuscated eval calls hidden under callable objects via getattr, which evades detection by typical scanning methods.

There are no specific detection commands or network/system scanning instructions provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade picklescan to version 1.0.1 or later, where this vulnerability has been patched.

Avoid loading pickle files from untrusted sources to prevent execution of malicious code embedded in pickle files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53874. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart