Mmaitre314 Picklescan
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Mmaitre314 Picklescan.
By the Year
In 2026 there have been 15 vulnerabilities in Mmaitre314 Picklescan with an average score of 8.9 out of ten. Last year, in 2025 Picklescan had 7 security vulnerabilities published. That is, 8 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 15 | 8.92 |
| 2025 | 7 | 0.00 |
It may take a day or so for new Picklescan vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mmaitre314 Picklescan Security Vulnerabilities
picklescan <0.0.30 cProfile.runctx Detection Bypass RCE
CVE-2025-71378
8.1 - High
- June 21, 2026
picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection and execute remote code when loaded via pickle.load().
Marshaling, Unmarshaling
Python picklescan <0.0.30 Malicious Pickle Remote Exec via idlelib.pyshell
CVE-2025-71357
8.1 - High
- June 21, 2026
picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods. Attackers can embed undetected code in pickle files that executes remote commands when loaded by victims.
Marshaling, Unmarshaling
Remote Code Execution in picklescan <0.0.25 due to unrecognized pickle files
CVE-2025-71351
- June 21, 2026
picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit() in the __reduce__ method, allowing remote code execution. Attackers can craft pickle files that import dangerous libraries like os and execute arbitrary system commands, which evade picklescan detection and execute when pickle.load() is called.
Denylist / Deny List
picklescan <0.0.28 RCE via torch.utils._config_module.load_config in reduce
CVE-2025-71348
8.1 - High
- June 21, 2026
picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils._config_module.load_config function within reduce methods. Attackers can craft pickle files embedding arbitrary code that evades detection but executes during pickle.load, enabling remote code execution in supply chain attacks.
Marshaling, Unmarshaling
unsafe pickle deserialization in picklescan <1.0.1 via logging.FileHandler
CVE-2026-56304
6.5 - Medium
- June 20, 2026
picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to create arbitrary zero-byte files via logging.FileHandler class instantiation. Attackers can exploit this by crafting malicious pickle payloads to bypass RCE blocklists and create lock files or other filesystem artifacts, potentially causing denial of service or application disruption.
Marshaling, Unmarshaling
picklescan <1.0.3 Scan_pytorch Bypass using __reduce__ Eval
CVE-2026-53875
- June 17, 2026
picklescan before 1.0.3 contains a scanning bypass vulnerability in the scan_pytorch function that allows attackers to embed malicious magic numbers via dynamic eval using the __reduce__ trick. Attackers can craft malicious PyTorch payloads that evade picklescan detection while remaining executable, enabling arbitrary code execution when loaded with torch.load().
Eval Injection
picklescan unsafe deserialization before 1.0.1
CVE-2026-53874
9.8 - Critical
- June 17, 2026
picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources.
Marshaling, Unmarshaling
PickleScan <1.0.4 Arbitrary Code Execution via Profile.run Blocklist Bypass
CVE-2026-53873
9.8 - Critical
- June 17, 2026
picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitrary Python code while picklescan reports zero security issues.
Denylist / Deny List
picklescan <0.0.35: unsafe pickle deserialization reads arbitrary files
CVE-2026-53872
7.5 - High
- June 17, 2026
picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external servers.
Directory traversal
picklescan <1.0.4: pkgutil.resolve_name allows RCE
CVE-2026-3490
10 - Critical
- June 17, 2026
picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote code execution.
Allowlist / Allow List
Picklescan <0.0.27: Parsing Error Allows Malicious Pickle Bypass
CVE-2025-71325
9.8 - Critical
- June 17, 2026
picklescan before 0.0.27 contains a parsing logic error in the _list_globals function when handling STACK_GLOBAL opcodes, failing to track arguments in the correct range and allowing malicious pickle files to bypass detection. Attackers can craft pickle files with arguments at position zero to trigger unexpected exceptions and evade security scanning.
Unchecked Error Condition
CVE-2025-71323 Picklescan <0.0.33 RCE via ctypes module bypass
CVE-2025-71323
9.8 - Critical
- June 17, 2026
picklescan before 0.0.33 fails to block the ctypes module, allowing attackers to achieve remote code execution by invoking direct syscalls and accessing raw memory. Attackers can craft malicious pickle files using ctypes.WinDLL to load kernel32.dll and execute arbitrary commands, bypassing sandbox protections and gadget chain detection.
Denylist / Deny List
PickleScan <0.0.33 Remote Code Exec via pty.spawn
CVE-2025-71322
8.8 - High
- June 17, 2026
PickleScan before 0.0.33 fails to include the pty.spawn function in its unsafe globals list, allowing attackers to bypass security checks. Malicious actors can craft pickle payloads using pty.spawn to achieve arbitrary code execution when files are processed by PickleScan.
Protection Mechanism Failure
Picklescan <0.0.33 Arbitrary File Write via distutils.file_util.write_file
CVE-2025-71321
9.8 - Critical
- June 17, 2026
picklescan before 0.0.33 contains an arbitrary file writing vulnerability that allows attackers to bypass the dangerous blocklist by using distutils.file_util.write_file. Attackers can construct malicious pickle objects to overwrite critical system files and achieve denial of service or remote code execution.
Marshaling, Unmarshaling
Picklescan <0.0.33 CVE-2025-71320 Deny-List Bypass -> Arbitrary Code Execution
CVE-2025-71320
9.8 - Critical
- June 17, 2026
picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when the pickle is deserialized.
Denylist / Deny List
Picklescan <=0.0.30: Unsafe Globals Bypass via Submodule
CVE-2025-10157
- September 17, 2025
A Protection Mechanism Failure vulnerability in mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass the unsafe globals check. This is possible because the scanner performs an exact match for module names, allowing malicious payloads to be loaded via submodules of dangerous packages (e.g., 'asyncio.unix_events' instead of 'asyncio'). When the incorrectly considered safe file is loaded after scan, it can lead to the execution of malicious code.
Protection Mechanism Failure
picklescan ZIP CRC Bypass: EIC Issue in Archive Scanning
CVE-2025-10156
- September 17, 2025
An Improper Handling of Exceptional Conditions vulnerability in the ZIP archive scanning component of mmaitre314 picklescan allows a remote attacker to bypass security scans. This is achieved by crafting a ZIP archive containing a file with a bad Cyclic Redundancy Check (CRC), which causes the scanner to halt and fail to analyze the contents for malicious pickle files. When the file incorrectly considered safe is loaded, it can lead to the execution of malicious code.
Improper Handling of Exceptional Conditions
mmaitre314 picklescan <=0.0.30 Improper Input Validation in Pickle Parsing
CVE-2025-10155
- September 17, 2025
An Improper Input Validation vulnerability in the scanning logic of mmaitre314 picklescan versions up to and including 0.0.30 allows a remote attacker to bypass pickle files security checks by supplying a standard pickle file with a PyTorch-related file extension. When the pickle file incorrectly considered safe is loaded, it can lead to the execution of malicious code.
Improper Input Validation
picklescan<0.0.23: ZIP crash via manipulated header
CVE-2025-1944
- March 10, 2025
picklescan before 0.0.23 is vulnerable to a ZIP archive manipulation attack that causes it to crash when attempting to extract and scan PyTorch model archives. By modifying the filename in the ZIP header while keeping the original filename in the directory listing, an attacker can make PickleScan raise a BadZipFile error. However, PyTorch's more forgiving ZIP implementation still allows the model to be loaded, enabling malicious payloads to bypass detection.
Insufficient Verification of Data Authenticity
picklescan <0.0.23 ZIP flag bits flaw allows hidden malicious pickles
CVE-2025-1945
- March 10, 2025
picklescan before 0.0.23 fails to detect malicious pickle files inside PyTorch model archives when certain ZIP file flag bits are modified. By flipping specific bits in the ZIP file headers, an attacker can embed malicious pickle files that remain undetected by PickleScan while still being successfully loaded by PyTorch's torch.load(). This can lead to arbitrary code execution when loading a compromised model.
Insufficient Verification of Data Authenticity
Picklescan <0.0.22 Skips Non-Std Pickle Files in Scan
CVE-2025-1889
- March 03, 2025
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.
Reliance on File Name or Extension of Externally-Supplied File
picklescan <0.0.21 Unsafe Global 'pip' Allows Malicious PyPI Code
CVE-2025-1716
- February 26, 2025
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.
Denylist / Deny List
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Mmaitre314 Picklescan or by Mmaitre314? Click the Watch button to subscribe.
