Duplicate Advisory: picklescan missing detection by simple obfuscation of a `builtins.eval` call
- When
- Where
- Global (internet)
- Category
- cyber_advisory · pip
## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-9m3x-qqw2-h32h. This link is maintained to preserve external references. ## Original Description picklescan before 1.0.1 contains an unsafe deserialization vulnerability allowing unauthenticated users to execute arbitrary code by hiding eval calls nested under callable objects via getattr. Attackers can embed malicious code in pickle files that evades detection but executes when the pickle is loaded from untrusted sources.
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-17 18:35 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.
No correlated events found in the current window. As more events arrive, connections form automatically.