Interpretation Conflict Affecting fickling package, versions [,0.1.8)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-FICKLING-15347136
- published25 Feb 2026
- disclosed24 Feb 2026
- creditYash Rajesh Chhabria
Introduced: 24 Feb 2026
New CVE NOT AVAILABLE CWE-436 (opens in a new tab)How to fix?
Upgrade fickling to version 0.1.8 or higher.
Overview
fickling is an A static analyzer and interpreter for Python pickle data
Affected versions of this package are vulnerable to Interpretation Conflict via the OBJ opcode handling logic. An attacker can evade safety checks by triggering a code path where OBJ pushes an ast.Call onto the interpreter stack without persisting it to the AST via new_variable(). An attacker can execute arbitrary code, open network connections, create files, or establish backdoor listeners by crafting malicious pickle files that bypass all safety checks.