{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22606", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T21:50:39.533Z", "datePublished": "2026-01-10T01:35:00.797Z", "dateUpdated": "2026-01-13T19:58:14.707Z"}, "containers": {"cna": {"title": "Fickling has a bypass via runpy.run_path() and runpy.run_module()", "problemTypes": [{"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.9, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/trailofbits/fickling/security/advisories/GHSA-wfq2-52f7-7qvj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-wfq2-52f7-7qvj"}, {"name": "https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66", "tags": ["x_refsource_MISC"], "url": "https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66"}, {"name": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7", "tags": ["x_refsource_MISC"], "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7"}], "affected": [{"vendor": "trailofbits", "product": "fickling", "versions": [{"version": "< 0.1.7", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T01:35:00.797Z"}, "descriptions": [{"lang": "en", "value": "Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python\u2019s runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling\u2019s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7."}], "source": {"advisory": "GHSA-wfq2-52f7-7qvj", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-wfq2-52f7-7qvj", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T19:58:11.177501Z", "id": "CVE-2026-22606", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T19:58:14.707Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22606", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-13T19:58:11.177501Z"}}}], "references": [{"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-wfq2-52f7-7qvj", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T19:58:00.953Z"}}], "cna": {"title": "Fickling has a bypass via runpy.run_path() and runpy.run_module()", "source": {"advisory": "GHSA-wfq2-52f7-7qvj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.9, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "trailofbits", "product": "fickling", "versions": [{"status": "affected", "version": "< 0.1.7"}]}], "references": [{"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-wfq2-52f7-7qvj", "name": "https://github.com/trailofbits/fickling/security/advisories/GHSA-wfq2-52f7-7qvj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66", "name": "https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7", "name": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python\u2019s runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling\u2019s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-184", "description": "CWE-184: Incomplete List of Disallowed Inputs"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-10T01:35:00.797Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22606", "state": "PUBLISHED", "dateUpdated": "2026-01-13T19:58:14.707Z", "dateReserved": "2026-01-07T21:50:39.533Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-10T01:35:00.797Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:trailofbits:fickling:*:*:*:*:*:python:*:*", "matchCriteriaId": "0D11EA35-A440-4468-BC69-709AA3A18DD9", "versionEndExcluding": "0.1.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python\u2019s runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling\u2019s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7."}], "id": "CVE-2026-22606", "lastModified": "2026-01-16T18:59:35.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.9, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-10T02:15:49.637", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-wfq2-52f7-7qvj"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-wfq2-52f7-7qvj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:16:31.211803+00:00", "value": {"mitigation_remediation": ["Upgrade Fickling to version 0.1.7 or later immediately.", "If upgrade is not feasible, augment pickle handling so that deserialization does not rely solely on Fickling\u2019s output; implement additional checks such as a whitelist or manual inspection for runpy usage.", "Implement an environment policy that treats any pickle invoking runpy as overtly malicious and blocks its execution until a validated patch is applied."], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Python package Fickling from the Trail of Bits vendor. All releases up to and including 0.1.6 are impacted. The fix is available in 0.1.7 and later versions.", "description_and_impact": "Fickling is intended to detect unsafe deserialization by analyzing Python pickles. In versions up to 0.1.6 the tool incorrectly classifies pickles that invoke Python\u2019s runpy module\u2014specifically runpy.run_path() or runpy.run_module()\u2014as merely suspicious, not overtly malicious. An attacker can embed these calls within a malicious pickle; if an environment trusts Fickling\u2019s markings and proceeds to deserialize such a file, the runpy calls will execute attacker\u2011controlled code, providing full code execution on the system.", "risk_and_exploitability": "The CVSS score is 8.9, indicating high severity, while the EPSS score is below 1%, suggesting a very low probability of exploitation in the wild at the time of analysis. The vulnerability is not currently listed in the CISA KEV catalog. An attacker would craft a malicious pickle that triggers runpy execution; if a system trusts Fickling\u2019s classification and deserializes the payload, arbitrary code execution is achieved. The attack vector requires delivery of a crafted pickle to the target, typically via file ingestion or network transfer, but does not rely on other infrastructure or privileged access."}}}}, "created": "2026-01-12T14:36:55.641536+00:00", "updated": "2026-04-18T07:30:36.019396+00:00", "vendors": ["trailofbits", "trailofbits$PRODUCT$fickling"]}