HIGH
scikit-hep
CVE published 2026-07-18
CVE-2026-9147
The uproot library dynamically generates Python class source code from ROOT TStreamerInfo records in a file and compiles it at runtime. Some file-controlled streamer metadata fields are interpolated into the generated Python source without safe quoting. An attacker who can supply a crafted ROOT file can place Python expression-breaking content into a streamer metadata field. When uproot generates and invo [truncated]