PatchSiren

scikit-hep CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH scikit-hep CVE published 2026-07-18

CVE-2026-9147

The uproot library dynamically generates Python class source code from ROOT TStreamerInfo records in a file and compiles it at runtime. Some file-controlled streamer metadata fields are interpolated into the generated Python source without safe quoting. An attacker who can supply a crafted ROOT file can place Python expression-breaking content into a streamer metadata field. When uproot generates and invo [truncated]