⚠ Withdrawn by GitHub Security Advisories
Withdrawn: June 18, 2026
GHSA-5v23-73v4-w2fpHighCVSS 7.5Disclosed before NVD
Duplicate Advisory: picklescan has Arbitrary file read using `io.FileIO`
📋 Description
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-9726-w42j-3qjr. This link is maintained to preserve external references.
Original Description
picklescan before 0.0.35 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to read arbitrary server files by chaining io.FileIO and urllib.request.urlopen. Attackers can bypass RCE-focused blocklists to exfiltrate sensitive data like /etc/passwd to external servers.
🎯 Affected products1
- pip/picklescan:< 0.0.35