GHSA-qw48-84f6-28gv: Graphite Has a Pickle Deserialization Vulnerability

May 18, 2026

Type of vulnerability: Insecure Deserialization via Python’s pickle module.

Who is impacted: Users of Graphite graph database engine versions before 0.2 who load database files from untrusted or third-party sources. An attacker could craft a malicious database file that executes arbitrary code when loaded by the engine. This is possible because the engine used pickle for serialization, which is known to be unsafe for untrusted data.

References

github.com/advisories/GHSA-qw48-84f6-28gv
github.com/mkh-user/graphite/releases/tag/v0.2
github.com/mkh-user/graphite/security/advisories/GHSA-qw48-84f6-28gv

Code Behaviors & Features

Detect and mitigate GHSA-qw48-84f6-28gv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →