Picklescan: Nine RCE Vulnerabilities Disclosed Together via Detection Bypasses

Key findings

• Nine RCE vulnerabilities in picklescan disclosed between June 21-23, 2026, due to detection bypasses.
• Flaws involve bypassing detection of standard library modules and functions in __reduce__ methods.
• Vulnerabilities affect various versions, with patches ranging from 0.0.28 to 1.0.4.
• Exploitation enables arbitrary code execution via malicious pickle files, posing supply chain risks.
• Users must update picklescan to patched versions to mitigate these critical security risks.

On June 21-23, 2026, a batch of nine vulnerabilities was disclosed for the Python package picklescan, collectively enabling remote code execution (RCE) through various bypasses of its detection mechanisms. These flaws, reported by multiple researchers and coordinated through disclosure channels, highlight significant weaknesses in how picklescan validates untrusted pickle files. The vulnerabilities primarily stem from the tool's failure to properly identify and block malicious functions embedded within the __reduce__ method of pickle objects, allowing attackers to execute arbitrary code when these files are loaded.

Several CVEs point to bypasses involving Python's standard library modules. CVE-2026-56315, for instance, details how picklescan before version 1.0.4 fails to block modules like uuid, _osx_support, and imaplib, which offer functions capable of direct command execution. Similarly, CVE-2025-71376 and CVE-2025-71357 reveal that picklescan versions prior to 0.0.29 and 0.0.30, respectively, could not detect malicious code within idlelib.autocomplete.AutoComplete.fetch_completions and idlelib.pyshell.ModifiedInterpreter.runcommand.

The batch also includes vulnerabilities related to popular third-party libraries. CVE-2025-71370 and CVE-2025-71348 indicate that picklescan versions before 0.0.28 missed malicious calls to torch.jit.unsupported_tensor_ops.execWrapper and torch.utils._config_module.load_config. Furthermore, CVE-2025-71365 and CVE-2025-71339 show that versions prior to 0.0.33 failed to detect arbitrary code execution via numpy.f2py.crackfortran.myeval and numpy.f2py.crackfortran._eval_length gadgets, respectively. Another notable vulnerability, CVE-2025-71344, affected versions before 0.0.30 by failing to detect the ensurepip._run_pip function. Finally, CVE-2025-71378 highlights a bypass of cProfile.runctx detection in versions prior to 0.0.30.

The common thread across these nine CVEs is the failure of picklescan to adequately sanitize or block functions invoked through Python's pickle protocol, particularly within the __reduce__ method. This allows attackers to craft malicious pickle files that, when processed by a victim's system, execute arbitrary commands. The patched versions range from 0.0.28 to 1.0.4, depending on the specific vulnerability. Users are strongly advised to update to the latest available versions of picklescan to mitigate these risks.

These vulnerabilities pose a significant threat, especially in supply chain attacks where malicious pickle files could be distributed through seemingly legitimate channels. The wide range of bypassed functions, from standard library modules to components of popular libraries like NumPy and PyTorch, underscores the complexity of securely deserializing untrusted data. Users relying on picklescan for security validation should urgently update their installations and remain vigilant for any further security advisories from the vendor. The coordinated disclosure of these flaws emphasizes the ongoing challenges in securing the Python ecosystem against sophisticated deserialization attacks.