CVE-2026-7597: Insecure File Pickle Deserialization
Deserializing a file using `pickle.load()` is vulnerable to arbitrary code execution if the file can be manipulated by an attacker. Use safer formats like JSON, or restrict the allowed classes by subclassing `pickle.Unpickler` and overriding the `find_class` method to enforce strict type allowlists.
Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0
Python
Pythongreprules fetch cve-2026-7597-insecure-file-pickle-deserialization --engine opengrepDescription
Deserializing a file using `pickle.load()` is vulnerable to arbitrary code execution if the file can be manipulated by an attacker. Use safer formats like JSON, or restrict the allowed classes by subclassing `pickle.Unpickler` and overriding the `find_class` method to enforce strict type allowlists.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0