AI Threat Alert

CVE-2026-3490

CRITICAL
Published June 17, 2026

picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote...

Full CISO analysis pending enrichment.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
picklescan pip No patch
412 3 dependents Pushed 1mo ago 82% patched ~12d to patch Full package profile →

Do you use picklescan? You're affected.

How severe is it?

CVSS 3.1
10.0 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I High
A High

What should I do?

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-3490?

picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote code execution.

Is CVE-2026-3490 actively exploited?

No confirmed active exploitation of CVE-2026-3490 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-3490?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2026-3490?

CVE-2026-3490 has a CVSS v3.1 base score of 10.0 (CRITICAL).

What are the technical details?

Original Advisory

picklescan before 1.0.4 fails to block pkgutil.resolve_name, allowing attackers to bypass the entire blocklist by resolving any dangerous function through indirect REDUCE calls. Remote attackers can invoke any blocked function such as os.system, builtins.exec, or subprocess.call to achieve remote code execution.

Weaknesses (CWE)

CWE-183 Permissive List of Allowed Inputs

CWE-183 — Permissive List of Allowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Timeline

Published
June 17, 2026
Last Modified
June 17, 2026
First Seen
June 17, 2026

Related Vulnerabilities

CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same package: picklescan
CRITICAL GHSA-7wx9-6375-f5wh 9.8

picklescan: Allowlist Bypass evades input filtering

Same package: picklescan
CRITICAL GHSA-g38g-8gr9-h9xp 9.8

picklescan: Allowlist Bypass evades input filtering

Same package: picklescan
CRITICAL CVE-2025-1945 9.8

picklescan: ZIP flag bypass enables RCE in PyTorch models

Same package: picklescan
CRITICAL CVE-2025-71321 9.8

Analysis pending

Same package: picklescan
Back to Threat Feed