Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-7584

The LabOne Q serialization framework uses a class-loading mechanism (import_cls) to dynamically import and instantiate Python classes during deserialization. Prior to the fix, this mechanism accepted arbitrary fully-qualified class names from the serialized data without any validation of the target class or restriction on which modules could be imported. An attacker can craft a serialized experiment file that causes the deserialization engine to import and instantiate arbitrary Python classes with attacker-controlled constructor arguments, resulting in arbitrary code execution in the context of the user running the Python process. Exploitation requires the victim to load a malicious file using LabOne Q's deserialization functions, for example a compromised experiment file shared for collaboration or support purposes.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 5.6%
CVSS Severity
CVSS v3 Score 7.8
Products affected by CVE-2026-7584
  • Zhinst » Labone Q » Version: 2.41.0
    cpe:2.3:a:zhinst:labone_q:2.41.0
  • Zhinst » Labone Q » Version: 2.42.0
    cpe:2.3:a:zhinst:labone_q:2.42.0
  • Zhinst » Labone Q » Version: 2.43.0
    cpe:2.3:a:zhinst:labone_q:2.43.0
  • Zhinst » Labone Q » Version: 2.44.0
    cpe:2.3:a:zhinst:labone_q:2.44.0
  • Zhinst » Labone Q » Version: 2.45.0
    cpe:2.3:a:zhinst:labone_q:2.45.0
  • Zhinst » Labone Q » Version: 2.46.0
    cpe:2.3:a:zhinst:labone_q:2.46.0
  • Zhinst » Labone Q » Version: 2.47.0
    cpe:2.3:a:zhinst:labone_q:2.47.0
  • Zhinst » Labone Q » Version: 2.48.0
    cpe:2.3:a:zhinst:labone_q:2.48.0
  • Zhinst » Labone Q » Version: 2.49.0
    cpe:2.3:a:zhinst:labone_q:2.49.0
  • Zhinst » Labone Q » Version: 2.50.0
    cpe:2.3:a:zhinst:labone_q:2.50.0
  • Zhinst » Labone Q » Version: 2.51.0
    cpe:2.3:a:zhinst:labone_q:2.51.0
  • Zhinst » Labone Q » Version: 2.52.0
    cpe:2.3:a:zhinst:labone_q:2.52.0
  • Zhinst » Labone Q » Version: 2.53.0
    cpe:2.3:a:zhinst:labone_q:2.53.0
  • Zhinst » Labone Q » Version: 2.54.0
    cpe:2.3:a:zhinst:labone_q:2.54.0
  • Zhinst » Labone Q » Version: 2.55.0
    cpe:2.3:a:zhinst:labone_q:2.55.0
  • Zhinst » Labone Q » Version: 2.56.0
    cpe:2.3:a:zhinst:labone_q:2.56.0
  • Zhinst » Labone Q » Version: 2.57.0
    cpe:2.3:a:zhinst:labone_q:2.57.0
  • Zhinst » Labone Q » Version: 2.58.0
    cpe:2.3:a:zhinst:labone_q:2.58.0
  • Zhinst » Labone Q » Version: 2.59.0
    cpe:2.3:a:zhinst:labone_q:2.59.0
  • Zhinst » Labone Q » Version: 2.60.0
    cpe:2.3:a:zhinst:labone_q:2.60.0
  • Zhinst » Labone Q » Version: 2.60.1
    cpe:2.3:a:zhinst:labone_q:2.60.1
  • Zhinst » Labone Q » Version: 2.61.0
    cpe:2.3:a:zhinst:labone_q:2.61.0
  • Zhinst » Labone Q » Version: 2.62.0
    cpe:2.3:a:zhinst:labone_q:2.62.0
  • Zhinst » Labone Q » Version: 25.10.0
    cpe:2.3:a:zhinst:labone_q:25.10.0
  • Zhinst » Labone Q » Version: 25.10.1
    cpe:2.3:a:zhinst:labone_q:25.10.1
  • Zhinst » Labone Q » Version: 25.10.2
    cpe:2.3:a:zhinst:labone_q:25.10.2
  • Zhinst » Labone Q » Version: 25.10.3
    cpe:2.3:a:zhinst:labone_q:25.10.3
  • Zhinst » Labone Q » Version: 26.1.0
    cpe:2.3:a:zhinst:labone_q:26.1.0
  • Zhinst » Labone Q » Version: 26.1.1
    cpe:2.3:a:zhinst:labone_q:26.1.1
  • Zhinst » Labone Q » Version: 26.4.0
    cpe:2.3:a:zhinst:labone_q:26.4.0


Products
Pricing
Contact Us

Shodan ® - All rights reserved