CVE-2026-14535: In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls A
Summary
In fickling (a security tool for analyzing pickle files), versions up to 0.1.11 have a bug where the UnsafeImportsML analysis pass marks all imports as already-checked in a shared list, causing the MLAllowlist pass (which is supposed to block imports from unsafe libraries) to skip its checks entirely. This means dangerous imports from standard library modules that aren't explicitly blocked can be deserialized and executed when fickling's security check returns LIKELY_SAFE.
Vulnerability Details
8.8(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
network
low
none
required
July 4, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-14535
First tracked: July 4, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 92%