CVE-2026-56304 | picklescan before 1.0.1 contains an unsafe pickle deserializ… | CVSS 6.5 MEDIUM

Description

picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to create arbitrary zero-byte files via logging.FileHandler class instantiation. Attackers can exploit this by crafting malicious pickle payloads to bypass RCE blocklists and create lock files or other filesystem artifacts, potentially causing denial of service or application disruption.

Metadata

CVE ID: CVE-2026-56304
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 12:53 UTC
Published: 2026-06-20 15:24 UTC
Last updated: 2026-06-20 15:24 UTC
Primary CWE: CWE-502
Deserialization of Untrusted Data
Vendor / Product: picklescan / picklescan
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Affected products (1)

Vendor	Product	Platform	Versions
picklescan	picklescan	—	0 < 1.0.1, 1.0.1

Weakness (CWE)

CWE	Source	Description
CWE-502	cna	Deserialization of Untrusted Data

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
6.5	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References (2)

GHSA Advisory GHSA-m7j5-r2p5-c39r https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m7j5-r2p5-c39r
VulnCheck Advisory: picklescan - Arbitrary File Creation via logging.FileHandler Deserialization https://www.vulncheck.com/advisories/picklescan-arbitrary-file-creation-via-logging-filehandler-deserialization