cvedb.io
CVE-2026-53873
CRITICAL · CVSS 9.8
EPSS exploitation probability: 0%
Published 2026-06-17T17:17:25.607 · Last modified 2026-06-17T20:21:59.863

Summary

picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitrary Python code while picklescan reports zero security issues.

Does this affect you?

Add your gear to cvedb and we'll alert you only when a vendor you run ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.