⚠ Withdrawn by GitHub Security Advisories

Withdrawn: June 18, 2026

GHSA-j6c9-qvp8-699fCriticalCVSS 9.8Disclosed before NVD

Duplicate Advisory: picklescan missing detection by simple obfuscation of a `builtins.eval` call

Published
June 17, 2026
Last Modified
June 18, 2026

📋 Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-9m3x-qqw2-h32h. This link is maintained to preserve external references.

Original Description

picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources.

🎯 Affected products1

  • pip/picklescan:< 1.0.1

🔗 References (4)