{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-53874: picklescan - Arbitrary Code Execution via Obfuscated eval Call","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-53874","status":"final","version":"1","initial_release_date":"2026-06-17T15:05:03.558Z","current_release_date":"2026-06-17T15:05:03.558Z","revision_history":[{"date":"2026-06-17T15:05:03.558Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-53874 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-53874"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-53874"},{"category":"external","summary":"GHSA Advisory GHSA-9m3x-qqw2-h32h","url":"https://github.com/mmaitre314/picklescan/security/advisories/GHSA-9m3x-qqw2-h32h"},{"category":"external","summary":"VulnCheck Advisory: picklescan - Arbitrary Code Execution via Obfuscated eval Call","url":"https://www.vulncheck.com/advisories/picklescan-arbitrary-code-execution-via-obfuscated-eval-call"}]},"product_tree":{"branches":[{"category":"vendor","name":"picklescan","branches":[{"category":"product_name","name":"picklescan","branches":[{"category":"product_version_range","name":"<1.0.1","product":{"name":"picklescan picklescan <1.0.1","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"1.0.1","product":{"name":"picklescan picklescan 1.0.1","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:picklescan:picklescan:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-53874","title":"picklescan - Arbitrary Code Execution via Obfuscated eval Call","notes":[{"category":"description","text":"picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"],"fixed":["CSAFPID-2"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","baseScore":9.3,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 1.0.1.","product_ids":["CSAFPID-1"]}]}]}