CVE-2026-7584

Name of the Vulnerable Software and Affected Versions LabOne Q (affected versions not specified)

Description The serialization framework uses a class-loading mechanism import cls() to dynamically import and instantiate Python classes during deserialization. The mechanism accepts arbitrary fully-qualified class names from serialized data without validating the target class or restricting the modules that can be imported. This allows an attacker to craft a serialized experiment file that forces the deserialization engine to import and instantiate arbitrary Python classes with controlled constructor arguments, leading to arbitrary code execution in the context of the user running the Python process. This occurs when a victim loads a malicious file, such as a compromised experiment file shared for collaboration or support.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.