PyPI · pypi.org
torch-candle
Py Import Time Pickle Loads: pickle/marshal.loads — deserializes arbitrary objects, RCE if attacker-controlled.
Why PkgRadar flagged 2026.6.9
| Severity | Signal | Evidence |
|---|---|---|
| medium | Py Import Time Pickle Loads | pickle/marshal.loads — deserializes arbitrary objects, RCE if attacker-controlled. · torch_candle-2026.6.9/src/torch_candle/__init__.py |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
2026.6.9 | Review | 24 | 2026-06-13 |
2026.6.8 | Review | 24 | 2026-06-13 |
2026.6.7 | Review | 34 | 2026-06-13 |
2026.6.6 | Review | 24 | 2026-06-13 |
2026.6.5 | Review | 24 | 2026-06-12 |
2026.6.4 | Review | 24 | 2026-06-12 |
2026.6.3 | Review | 24 | 2026-06-11 |
2026.6.2 | Review | 24 | 2026-06-10 |
2026.6.1 | Review | 34 | 2026-06-05 |
0.1.1 | Review | 24 | 2026-06-05 |
0.1.0 | Review | 24 | 2026-06-03 |
Block this in CI
pkgradar gate --ecosystem pypi torch-candle==2026.6.9