CyberSec.Space Logo
返回 CVE 浏览器

CVE-2026-3490

CRITICAL
10.0
CVSS Severity Score
EPSS Score0.0800%
EPSS Percentile21.40th
Published2026年6月17日
Last Modified2026年6月18日

Vulnerability Description

picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote code execution.

Affected Platforms (CPE)

No CPE configurations currently published for this record.

References & Advisories

🔗 https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vvpj-8cmc-gx39
🔗 https://www.vulncheck.com/advisories/picklescan-universal-blocklist-bypass-via-pkgutil-resolve-name
🔗 https://github.com/mmaitre314/picklescan/security/advisories/GHSA-vvpj-8cmc-gx39

相关漏洞威胁

CVE-2026-3530110.0

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affect...

CVE-2026-3529210.0

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affect...

CVE-2026-4678110.0

Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supporte...

CVE-2026-4680310.0

Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versi...