CyberSec.Space Logo
Back to CVE Browser

CVE-2026-3490

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.0800%
EPSS Percentile21.40th
PublishedJun 17, 2026
Last ModifiedJun 18, 2026

Vulnerability Description

picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote code execution.

Affected Platforms (CPE)

No CPE configurations currently published for this record.

References & Advisories

🔗 https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vvpj-8cmc-gx39
🔗 https://www.vulncheck.com/advisories/picklescan-universal-blocklist-bypass-via-pkgutil-resolve-name
🔗 https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vvpj-8cmc-gx39

Related Vulnerabilities

CVE-2026-4713710.0

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced...

CVE-2026-2012710.0

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN M...

CVE-2026-2018210.0

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after ...

CVE-2026-4714010.0

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as mo...