CVE-2026-7584 in LabOne Qinfo

Zusammenfassung

von MITRE • 01.05.2026

The LabOne Q serialization framework uses a class-loading mechanism (import_cls) to dynamically import and instantiate Python classes during deserialization. Prior to the fix, this mechanism accepted arbitrary fully-qualified class names from the serialized data without any validation of the target class or restriction on which modules could be imported. An attacker can craft a serialized experiment file that causes the deserialization engine to import and instantiate arbitrary Python classes with attacker-controlled constructor arguments, resulting in arbitrary code execution in the context of the user running the Python process. Exploitation requires the victim to load a malicious file using LabOne Q's deserialization functions, for example a compromised experiment file shared for collaboration or support purposes.

Once again VulDB remains the best source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

NCSC.ch

Reservieren

01.05.2026

Veröffentlichung

01.05.2026

Moderieren

akzeptiert

Eintrag

VDB-360531

CPE

bereit

EPSS

0.00043

KEV

nein

Aktivitäten

very low

Quellen

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-7584
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-7584
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-7584/

ZurückÜbersichtWeiter

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!