Vulnerability in Fickling Affects Python Standard Library Modules
CVE-2026-14534

8.8HIGH

Key Information:

Status
Vendor
CVE Published:
4 July 2026

What is CVE-2026-14534?

The Fickling product from Trail of Bits has a security vulnerability where certain Python standard library modules (_posixsubprocess, site, and atexit) are not included in the UNSAFE_IMPORTS denylist. This oversight permits the check_safety() function to conclude a LIKELY_SAFE status for pickle payloads that can invoke potentially dangerous functions. As a result, functions capable of executing random binaries or running arbitrary site customization code may be triggered during the deserialization of payloads, exposing systems to significant security risks. The vulnerability underscores the importance of rigorous input validation and the need to update to the latest versions that address these issues.

Affected Version(s)

fickling 0 <= 0.1.10

fickling 0.1.11

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Christopher Aziz (Bombadil Systems LLC)
.