⚠ Withdrawn by GitHub Security Advisories

Withdrawn: June 18, 2026

GHSA-4mpj-78p6-rj59CriticalCVSS 9.8Disclosed before NVD

Duplicate Advisory: PickleScan's profile.run blocklist mismatch allows exec() bypass

Published
June 17, 2026
Last Modified
June 18, 2026

📋 Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-7wx9-6375-f5wh. This link is maintained to preserve external references.

Original Description

picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level profile.run() function, allowing attackers to achieve arbitrary code execution via exec(). Attackers can craft malicious pickle files calling profile.run(statement) to execute arbitrary Python code while picklescan reports zero security issues.

🎯 Affected products1

  • pip/picklescan:< 1.0.4

🔗 References (4)