Code Injection Vulnerability in Uproot by Scikit-HEP
CVE-2026-9147
8.5HIGH
What is CVE-2026-9147?
Uproot is susceptible to a code injection vulnerability due to improper handling of streamer metadata fields when generating Python class source code. This flaw allows an attacker to craft malicious ROOT files that can introduce harmful Python expressions through unquoted metadata, leading to arbitrary code execution within the context of the application processing the file. Users of affected Uproot versions should take immediate steps to update to secure versions and mitigate risks associated with this vulnerability.
Affected Version(s)
uproot 0 <= 5.7.4
