PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53873 picklescan CVE debrief

CVE-2026-53873 is a critical vulnerability in the picklescan library before version 1.0.4. The issue lies in the incomplete blocklist for the profile module, which fails to block the module-level profile.run() function. This allows attackers to craft malicious pickle files that call profile.run(statement) to execute arbitrary Python code, while picklescan reports zero security issues. The vulnerability has a CVSS score of 9.3 and is considered CRITICAL. Users of picklescan should update to version 1.0.4 or later to mitigate this vulnerability.

Vendor
picklescan
Product
Unknown
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Developers and users of the picklescan library, especially those who handle untrusted input or use picklescan for security scanning, should be aware of this vulnerability and take immediate action to update to a patched version.

Technical summary

The vulnerability in picklescan before 1.0.4 allows attackers to bypass the blocklist for the profile module's profile.run() function. By crafting malicious pickle files, attackers can execute arbitrary Python code. The issue arises from the incomplete blocklist, which fails to account for the module-level profile.run() function. This vulnerability can be exploited via specially crafted pickle files that call profile.run(statement), allowing for arbitrary code execution.

Defensive priority

High

Recommended defensive actions

  • Update picklescan to version 1.0.4 or later
  • Use trusted sources for pickle files
  • Implement additional security measures for handling untrusted input
  • Monitor for suspicious activity related to pickle file processing
  • Consider using alternative libraries with more comprehensive blocklists
  • Restrict access to pickle file processing to authorized users only
  • Regularly review and update security configurations for picklescan

Evidence notes

The information provided is based on the CVE record and NVD details. The vulnerability was published on 2026-06-17T17:17:25.607Z and modified on 2026-06-17T20:21:59.863Z. The CVSS score of 9.3 indicates a critical vulnerability.

Official resources

CVE-2026-53873 was published on 2026-06-17T17:17:25.607Z and modified on 2026-06-17T20:21:59.863Z.