UnsafeImports Issue in Trail of Bits Fickling up to Version 0.1.11
CVE-2026-14535

8.8HIGH

Key Information:

Status
Vendor
CVE Published:
4 July 2026

What is CVE-2026-14535?

The Fickling library by Trail of Bits suffers from a flaw in the UnsafeImportsML analysis pass, which indiscriminately processes every import node without verifying if it is marked as unsafe. This unchecked behavior leads to the MLAllowlist analysis bypassing its crucial checks, thus failing to determine if an import is from a trusted source or not. Consequently, standard library modules outside the denylist can be deserialized and executed without proper safety checks, compromising the integrity of the application. This vulnerability emphasizes the importance of correctly managing shared mutable states across analysis passes to maintain effective security measures.

Affected Version(s)

fickling 0 <= 0.1.11

fickling 0.1.12

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Christopher Aziz (Bombadil Systems LLC)
.