CVE-2026-22609

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Fickling versions prior to 0.1.7

Description Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe imports() method within Fickling’s static analyzer does not identify several high-risk Python modules that could be used for arbitrary code execution. This allows malicious pickles importing these modules to bypass Fickling’s safety checks.

Recommendations Update Fickling to version 0.1.7 or later.

Exploit

Fix

Incomplete List of Disallowed Inputs

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-184CWE-502

Related Identifiers

CVE-2026-22609

GHSA-Q5QQ-MVFM-J35X

Affected Products

Fickling

CVE-2026-22609

Weakness Enumeration

Related Identifiers

Affected Products

References · 17