Vulnerability in Fickling Affects Python Standard Library Modules
CVE-2026-14534
8.8HIGH
What is CVE-2026-14534?
The Fickling product from Trail of Bits has a security vulnerability where certain Python standard library modules (_posixsubprocess, site, and atexit) are not included in the UNSAFE_IMPORTS denylist. This oversight permits the check_safety() function to conclude a LIKELY_SAFE status for pickle payloads that can invoke potentially dangerous functions. As a result, functions capable of executing random binaries or running arbitrary site customization code may be triggered during the deserialization of payloads, exposing systems to significant security risks. The vulnerability underscores the importance of rigorous input validation and the need to update to the latest versions that address these issues.
Affected Version(s)
fickling 0 <= 0.1.10
fickling 0.1.11
