cvedb.io
CVE-2026-22607
HIGH · CVSS 7.8
EPSS exploitation probability: 0%
Published 2026-01-10T02:15:49.780 · Last modified 2026-06-17T10:20:09.220

Summary

Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7.

Affected products

trailofbits — fickling

Does this affect you?

Add your gear to cvedb and we'll alert you only when trailofbits ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.