ByteOS Network

NVD Vulnerability Details :

CVE-2026-56315

Deferred

Source-disclosure@vulncheck.com

Published At-23 Jun, 2026 | 13:16

Updated At-23 Jun, 2026 | 14:52

picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib) exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked modules to achieve remote code execution while bypassing picklescan's safety validation entirely.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	9.3	CRITICAL	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary	3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
			N/A

Type: Secondary

Version: 4.0

Base score: 9.3

Base severity: CRITICAL

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Secondary

Version: 3.1

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Type: N/A

Version:

Base score:

Base severity: N/A

Vector:

Weaknesses

CWE ID	Type	Source
CWE-184	Secondary	disclosure@vulncheck.com

CWE ID: CWE-184

Type: Secondary

Source: disclosure@vulncheck.com

References

Hyperlink	Source	Resource
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g38g-8gr9-h9xp	disclosure@vulncheck.com	N/A
https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-unblocked-standard-library-modules	disclosure@vulncheck.com	N/A
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-g38g-8gr9-h9xp	134c704f-9b21-4f2e-91b3-4a467353bcc0	N/A