CVE-2026-56315
Deferred Deferred - Pending Action
Command Injection Risk in Picklescan via Unblocked Python Modules

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: VulnCheck

Description
picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib) exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked modules to achieve remote code execution while bypassing picklescan's safety validation entirely.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-56315
EUVD
EUVD-2026-38437
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mmaitre314 picklescan to 1.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-56315 is a critical vulnerability in picklescan versions before 1.0.4 where the tool fails to block at least seven Python standard library modules that contain functions enabling direct arbitrary command execution.

This flaw allows attackers to craft malicious pickle files that import these unblocked modules, bypassing picklescan's safety validation entirely and resulting in remote code execution (RCE) without any alerts from the scanner.

  • Affected modules include uuid, _osx_support, _aix_support, _pyrepl.pager, imaplib, and others.

The vulnerability arises from picklescan's incomplete blocklist, which omits these dangerous modules despite their presence in Python's standard library.

Proof-of-concept exploits demonstrate that malicious pickle files exploiting these modules are incorrectly flagged as safe, while the payload executes successfully.

Impact Analysis

This vulnerability can lead to remote code execution on systems that rely on picklescan for validating pickle files.

Attackers can upload malicious pickle files that execute arbitrary commands or spawn subprocesses when loaded, potentially compromising the affected system.

Systems such as HuggingFace Hub, machine learning pipelines, and model registries that use picklescan for security validation are particularly at risk.

Because the vulnerability requires no privileges or user interaction and has a network attack vector, it poses a high severity threat.

Detection Guidance

This vulnerability involves malicious pickle files that import certain unblocked Python standard library modules to achieve remote code execution while bypassing picklescan's safety validation. Detection is challenging because picklescan versions before 1.0.4 incorrectly flag these malicious pickle files as clean.

To detect exploitation attempts on your system or network, you should monitor for the presence of pickle files that import any of the vulnerable modules such as uuid, _osx_support, _aix_support, _pyrepl.pager, imaplib, and test.support.script_helper.

Suggested commands include scanning pickle files for imports of these modules. For example, you can use Python scripts or grep commands to search for these module names within pickle files or their source code before unpickling.

  • Use grep to search for suspicious module imports in pickle files or related source code: grep -aE 'uuid|_osx_support|_aix_support|_pyrepl|imaplib|test.support.script_helper' <file>
  • Use a Python script to inspect pickle files for these module imports before loading them.

However, since picklescan itself fails to detect these malicious files, relying solely on it is insufficient. Network monitoring for unusual pickle file uploads or executions in ML pipelines or model registries is also recommended.

Mitigation Strategies

The primary immediate mitigation is to update picklescan to version 1.0.4 or later, where the affected modules are added to the blocklist.

As a temporary workaround, add the vulnerable modules (uuid, _osx_support, _aix_support, _pyrepl.pager, imaplib, test.support.script_helper) to picklescan's blocklist manually to prevent their usage in pickle files.

Consider adopting a more secure approach by switching from a blocklist to an allowlist (default-deny) model or treating all unknown globals as dangerous by default to prevent similar bypasses.

Additionally, monitor and restrict uploads of pickle files in your environment, especially in ML pipelines, model registries, or any system relying on picklescan for pickle safety validation.

Compliance Impact

CVE-2026-56315 allows attackers to achieve remote code execution by bypassing picklescan's safety validation, which can lead to unauthorized access and control over systems that rely on picklescan for security.

Such unauthorized code execution and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data security and protection against unauthorized access.

Specifically, if systems handling sensitive personal or health data use vulnerable versions of picklescan, this flaw could lead to violations of confidentiality, integrity, and availability requirements mandated by these regulations.

Therefore, organizations using affected picklescan versions should update to version 1.0.4 or later and consider adopting more secure validation approaches to maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56315. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart