CVE-2026-9147 in uprootthông tin

Tóm tắt

Bởi MITRE • 18/07/2026

uproot dynamically generates Python class source code from ROOT TStreamerInfo records in a file and compiles it at runtime. Some file-controlled streamer metadata fields (for example, streamer element names) are interpolated into the generated Python source without safe quoting via repr() or the !r format specifier. An attacker who can supply a crafted ROOT file can place Python expression-breaking content into a streamer metadata field. When uproot generates and invokes the corresponding reader method, the injected Python expression is evaluated in the context of the process opening the file, resulting in arbitrary Python code execution in applications that open or process attacker-controlled ROOT files with affected uproot code paths.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

chịu trách nhiệm

VulnCheck

Đặt trước

20/05/2026

Tiết lộ

18/07/2026

Kiểm duyệt

được chấp nhận

EPSS

0.00000

KEV

không

Các hoạt động

thấp

Nguồn

Do you need the next level of professionalism?

Upgrade your account now!