picklescan - Arbitrary File Creation via logging.FileHandler Deserialization | Advisories

Advisories

picklescan - Arbitrary File Creation via logging.FileHandler Deserialization

severity: medium
date: 6/20/2026
Affecting: picklescan >= 0, < 1.0.1
CVE: CVE-2026-56304
CWE: CWE-502 Deserialization of Untrusted Data
CVSS: 6.9
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
References: GHSA Advisory GHSA-m7j5-r2p5-c39r
Credit: ez-lbz
Description: picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to create arbitrary zero-byte files via logging.FileHandler class instantiation. Attackers can exploit this by crafting malicious pickle payloads to bypass RCE blocklists and create lock files or other filesystem artifacts, potentially causing denial of service or application disruption.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo