Blocklist Bypass Vulnerability in Picklescan by Maitre314
CVE-2026-3490

10CRITICAL

Key Information:

Vendor

Picklescan

Status
Picklescan
Vendor
CVE Published:
17 June 2026

What is CVE-2026-3490?

Picklescan versions prior to 1.0.4 contain a vulnerability that allows attackers to bypass the application's universal blocklist by exploiting the pkgutil.resolve_name function. This flaw enables remote attackers to execute any function deemed dangerous, including os.system, builtins.exec, and subprocess.call, through indirect REDUCE calls, potentially leading to unauthorized remote code execution. Users must upgrade to the latest version to mitigate this risk.

Affected Version(s)

picklescan 0 < 1.0.4

picklescan 1.0.4

References

https://github.com/mmaitre314/picklescan/security/advisor...
vendor-advisory
https://www.vulncheck.com/advisories/picklescan-universal...
third-party-advisory

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

yash2998chhabria
.