216.73.217.22

CVE-2026-7584

· Published 01/05/2026 08:16 · Modified 01/05/2026 15:28

Labels: CVE-2026-7584 2026-05-01CVE-2026-7584CWE-502[email protected]

Essential information

Published
01/05/2026 08:16
Modified
01/05/2026 15:28
Author
Creator
CVSS
8.4 HIGH (v3) 8.4 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

The LabOne Q serialization framework uses a class-loading mechanism (import_cls) to dynamically import and instantiate Python classes during deserialization. Prior to the fix, this mechanism accepted arbitrary fully-qualified class names from the serialized data without any validation of the target class or restriction on which modules could be imported. An attacker can craft a serialized experiment file that causes the deserialization engine to import and instantiate arbitrary Python classes with attacker-controlled constructor arguments, resulting in arbitrary code execution in the context of the user running the Python process. Exploitation requires the victim to load a malicious file using LabOne Q's deserialization functions, for example a compromised experiment file shared for collaboration or support purposes.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
labone / labone q cpe:2.3:a:labone:labone_q:*:*:*:*:*:*:*:*
python / python cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

References