⚠ Withdrawn by GitHub Security Advisories

Withdrawn: June 18, 2026

GHSA-5v23-73v4-w2fpHighCVSS 7.5Disclosed before NVD

Duplicate Advisory: picklescan has Arbitrary file read using `io.FileIO`

Published
June 17, 2026
Last Modified
June 18, 2026

📋 Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-9726-w42j-3qjr. This link is maintained to preserve external references.

Original Description

picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external servers.

🎯 Affected products1

  • pip/picklescan:< 0.0.35

🔗 References (4)