CVE-2026-22606

Name of the Vulnerable Software and Affected Versions Fickling versions up to and including 0.1.6

Description Fickling, a Python pickling decompiler and static analyzer, incorrectly classifies pickles utilizing Python’s runpy.run path() or runpy.run module() as SUSPICIOUS instead of OVERTLY MALICIOUS. This misclassification can occur when a user relies on Fickling’s output to determine the safety of pickle deserialization, potentially leading to the execution of attacker-controlled code. This issue impacts any workflow or product that uses Fickling as a security gate for pickle deserialization.

Recommendations Versions prior to 0.1.7 should be updated to version 0.1.7 or later.