{"data":{"id":"797f97d5-7a02-4b33-8818-79bcb9138ba0","title":"CVE-2026-14535: In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls A","summary":"In fickling (a security tool for analyzing pickle files), versions up to 0.1.11 have a bug where the UnsafeImportsML analysis pass marks all imports as already-checked in a shared list, causing the MLAllowlist pass (which is supposed to block imports from unsafe libraries) to skip its checks entirely. This means dangerous imports from standard library modules that aren't explicitly blocked can be deserialized and executed when fickling's security check returns LIKELY_SAFE.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-14535","publishedAt":"2026-07-04T14:16:29.063Z","cveId":"CVE-2026-14535","cweIds":["CWE-693"],"cvssScore":"8.8","cvssSeverity":"high","severity":"high","attackType":["model_poisoning"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["fickling","Trail of Bits"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"required","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-07-04T14:16:29.063Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}