CVE-2026-22608

High CVSS: 8.9

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, both ctypes and pydoc modules aren't explicitly blocked. Even other existing pickle scanning tools (like picklescan) do not block pydoc.locate. Chaining these two together can achieve RCE while the scanner still reports the file as LIKELY_SAFE. This issue has been patched in version 0.1.7.

Vendor

Trailofbits

Product

Fickling

CWE

CWE-184

Yayın Tarihi

2026-01-10 02:15:49

Güncelleme

2026-01-16 18:57:26

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-184 Fickling HIGH Trailofbits 2026

Referanslar

https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1 https://github.com/trailofbits/fickling/releases/tag/v0.1.7 https://github.com/trailofbits/fickling/security/advisories/GHSA-5hvc-6wx8-mvv4 https://github.com/trailofbits/fickling/security/advisories/GHSA-5hvc-6wx8-mvv4

Benzer Kayıtlar

High

CVE-2026-22609

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe_imports() method in Fic…

High

CVE-2026-22612

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, Fickling is vulnerable to detectio…

High

CVE-2026-22606

Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat P…

High

CVE-2026-22607

Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat P…

High

CVE-2025-67747

Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 are missing `marshal` and `types`…

High

CVE-2025-67748

Fickling is a Python pickling decompiler and static analyzer. Versions prior to 0.1.6 had a bypass caused by `pty` missi…