CVE-2026-22608

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Fickling versions prior to 0.1.7

Description Fickling, a Python pickling decompiler and static analyzer, does not explicitly block the ctypes and pydoc modules in versions prior to 0.1.7. Combining these modules can lead to Remote Code Execution (RCE), even while the scanner reports the file as LIKELY SAFE. The issue arises because existing pickle scanning tools, such as picklescan, also do not block pydoc.locate.

Recommendations Update to Fickling version 0.1.7 or later.

Exploit

Fix

RCE

Incomplete List of Disallowed Inputs

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-184CWE-502

Related Identifiers

CVE-2026-22608

GHSA-5HVC-6WX8-MVV4

Affected Products

Fickling

CVE-2026-22608

Weakness Enumeration

Related Identifiers

Affected Products

References · 14