HIGH 7.8

PYSEC-2026-247

Details

picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection and execute remote code when loaded via pickle.load().

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / picklescan

Introduced in: 0 Fixed in: 0.0.30

Fix pip install --upgrade 'picklescan>=0.0.30'

References

https://www.vulncheck.com/advisories/picklescan-remote-code-execution-via-undetected-cprofile-runctx-in-pickle-files [ADVISORY]
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9w88-8rmg-7g2p [EVIDENCE]