Description

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks. This issue has been patched in version 0.1.7.

INFO

Published Date :

2026-01-10T01:35:18.152Z

Last Modified :

2026-01-10T01:35:18.152Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-22609 vulnerability.

Vendors Products
Trailofbits
  • Fickling
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-22609.

URL Resource
https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91 cve-icon cve-icon
https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66 cve-icon cve-icon
https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1 cve-icon cve-icon
https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9 cve-icon cve-icon
https://github.com/trailofbits/fickling/releases/tag/v0.1.7 cve-icon cve-icon
https://github.com/trailofbits/fickling/security/advisories/GHSA-q5qq-mvfm-j35x cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability