High severityOSV Advisory· Published Jan 10, 2026· Updated Jan 14, 2026
Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist
CVE-2026-22609
Description
Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks. This issue has been patched in version 0.1.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ficklingPyPI | < 0.1.7 | 0.1.7 |
Affected products
2- Range: master, v0.0.1, v0.0.2, …
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-q5qq-mvfm-j35xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-22609ghsaADVISORY
- github.com/trailofbits/fickling/blob/977b0769c13537cd96549c12bb537f05464cf09c/test/test_bypasses.pyghsaWEB
- github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91ghsax_refsource_MISCWEB
- github.com/trailofbits/fickling/commit/6b400e1a2525e6a4a076c97ccc0d4d9581317101ghsaWEB
- github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66ghsax_refsource_MISCWEB
- github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1ghsax_refsource_MISCWEB
- github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9ghsax_refsource_MISCWEB
- github.com/trailofbits/fickling/pull/195ghsaWEB
- github.com/trailofbits/fickling/releases/tag/v0.1.7ghsax_refsource_MISCWEB
- github.com/trailofbits/fickling/security/advisories/GHSA-q5qq-mvfm-j35xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.