diff --git a/README.md b/README.md
index ea80162c..421bfdba 100644
--- a/README.md
+++ b/README.md
@@ -67,6 +67,7 @@ This project is a simple banking application with multiple security vulnerabilit
    - Directory traversal
    - No file size limits
    - Unsafe file naming
+   - Insecure deserialization
 
 5. **Session Management**
    - Token vulnerabilities
@@ -323,6 +324,7 @@ The application uses PostgreSQL. The database will be automatically initialized
 3. Upload oversized files
 4. Test file overwrite scenarios
 5. File type bypass
+6. Insecure deserialization
 
 ### API Security Testing
 1. Token manipulation
diff --git a/app.py b/app.py
index 49605fa3..5d1c13e2 100644
--- a/app.py
+++ b/app.py
@@ -2,6 +2,7 @@
 from datetime import datetime, timedelta
 import random
 import string
+import pickle
 import html
 import os
 from dotenv import load_dotenv
@@ -525,12 +526,11 @@ def get_transaction_history(account_number):
 def upload_profile_picture(current_user):
     if 'profile_picture' not in request.files:
         return jsonify({'error': 'No file provided'}), 400
-        
-    file = request.files['profile_picture']
     
+    file = request.files['profile_picture']
     if file.filename == '':
         return jsonify({'error': 'No file selected'}), 400
-        
+    
     try:
         # Vulnerability: No file type validation
         # Vulnerability: Using user-controlled filename
@@ -543,9 +543,19 @@ def upload_profile_picture(current_user):
         
         # Vulnerability: Path traversal possible if filename contains ../
         file_path = os.path.join(UPLOAD_FOLDER, filename)
-        
         file.save(file_path)
         
+        # NEW VULNERABILITY: Insecure deserialization
+        # Attempt to deserialize the uploaded file using pickle.load()
+        # regardless of file extension or content
+        try:
+            file.seek(0)  # Reset file pointer to beginning
+            deserialized_data = pickle.load(file)
+            print(f"Deserialized data: {deserialized_data}")
+        except Exception as pickle_error:
+            # Continue execution even if deserialization fails
+            print(f"Pickle deserialization failed: {str(pickle_error)}")
+        
         # Update database with just the filename
         execute_query(
             "UPDATE users SET profile_picture = %s WHERE id = %s",