๐Ÿ” CVE Alert

CVE-2026-9147

HIGH 7.8

uproot 5.7.4 and prior Code Injection via TStreamerInfo Metadata

CVSS Score
7.8
EPSS Score
0.0%
EPSS Percentile
0th

uproot dynamically generates Python class source code from ROOT TStreamerInfo records in a file and compiles it at runtime. Some file-controlled streamer metadata fields (for example, streamer element names) are interpolated into the generated Python source without safe quoting via repr() or the !r format specifier. An attacker who can supply a crafted ROOT file can place Python expression-breaking content into a streamer metadata field. When uproot generates and invokes the corresponding reader method, the injected Python expression is evaluated in the context of the process opening the file, resulting in arbitrary Python code execution in applications that open or process attacker-controlled ROOT files with affected uproot code paths.

CWE CWE-94
Vendor scikit-hep
Product uproot
Published Jul 18, 2026
Stay Ahead of the Next One

Get instant alerts for scikit-hep uproot

Be the first to know when new high vulnerabilities affecting scikit-hep uproot are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

scikit-hep / uproot
0 โ‰ค 5.7.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/scikit-hep/uproot5/security/advisories/GHSA-6946-mq52-g438 github.com: https://github.com/scikit-hep/uproot5/commit/c045c2824295d907d2e705f31110c742928e50e7 github.com: https://github.com/scikit-hep/uproot5 vulncheck.com: https://www.vulncheck.com/advisories/uproot-and-before-code-injection-via-tstreamerinfo-metadata

Credits

Sai Teja Erukude