Security Flaw in Fickling Python Decompiler from Trail of Bits
CVE-2026-22607

8.9HIGH

Key Information:

Vendor

Trailofbits

Status
Fickling
Vendor
CVE Published:
10 January 2026

What is CVE-2026-22607?

Fickling, a Python pickling decompiler and static analysis tool, is susceptible to a misclassification vulnerability involving the cProfile module. Versions up to 0.1.6 incorrectly classify malicious pickles that use cProfile.run() as SUSPICIOUS instead of OVERTLY_MALICIOUS. This flaw can mislead users relying on Fickling's analysis when determining the safety of deserializing pickled data, thus potentially allowing execution of attacker-controlled code. The issue has been resolved in version 0.1.7.

Affected Version(s)

fickling < 0.1.7

References

https://github.com/trailofbits/fickling/security/advisori...
x_refsource_CONFIRM
https://github.com/trailofbits/fickling/commit/dc8ae12966...
x_refsource_MISC
https://github.com/trailofbits/fickling/releases/tag/v0.1.7
x_refsource_MISC

CVSS V4

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.