Code Injection Vulnerability in Uproot by Scikit-HEP
CVE-2026-9147

8.5HIGH

Key Information:

Vendor

Scikit-hep

Status
Vendor
CVE Published:
18 July 2026

What is CVE-2026-9147?

Uproot is susceptible to a code injection vulnerability due to improper handling of streamer metadata fields when generating Python class source code. This flaw allows an attacker to craft malicious ROOT files that can introduce harmful Python expressions through unquoted metadata, leading to arbitrary code execution within the context of the application processing the file. Users of affected Uproot versions should take immediate steps to update to secure versions and mitigate risks associated with this vulnerability.

Affected Version(s)

uproot 0 <= 5.7.4

References

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Sai Teja Erukude
.