{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-26T10:06:48.328","vulnerabilities":[{"cve":{"id":"CVE-2026-22609","sourceIdentifier":"security-advisories@github.com","published":"2026-01-10T02:15:50.050","lastModified":"2026-06-17T10:20:09.460","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks. This issue has been patched in version 0.1.7."},{"lang":"es","value":"Fickling es un descompilador de pickling de Python y analizador estático. Antes de la versión 0.1.7, el método unsafe_imports() en el analizador estático de Fickling no logra marcar varios módulos de Python de alto riesgo que pueden ser utilizados para la ejecución de código arbitrario. Pickles maliciosos que importan estos módulos no serán detectados como inseguros, permitiendo a los atacantes eludir las comprobaciones de seguridad estáticas primarias de Fickling. Este problema ha sido parcheado en la versión 0.1.7."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"trailofbits","product":"fickling","versions":[{"version":"< 0.1.7","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.9,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-01-14T19:51:27.570854Z","id":"CVE-2026-22609","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-184"},{"lang":"en","value":"CWE-502"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:trailofbits:fickling:*:*:*:*:*:python:*:*","versionEndExcluding":"0.1.7","matchCriteriaId":"0D11EA35-A440-4468-BC69-709AA3A18DD9"}]}]}],"references":[{"url":"https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/trailofbits/fickling/releases/tag/v0.1.7","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/trailofbits/fickling/security/advisories/GHSA-q5qq-mvfm-j35x","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]},{"url":"https://github.com/trailofbits/fickling/security/advisories/GHSA-q5qq-mvfm-j35x","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["Exploit","Vendor Advisory"]}]}}]}