PYSEC-2026-510

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/qiskit/PYSEC-2026-510.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-510
Aliases
Published
2026-06-29T11:50:34.769394Z
Modified
2026-07-02T13:00:06.397787881Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Qiskit allows arbitrary code execution decoding QPY format versions < 13
Details

Impact

A maliciously crafted QPY file can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserializing QPY formats < 13. A python process calling Qiskit's qiskit.qpy.load() function could potentially execute any arbitrary Python code embedded in the correct place in the binary file as part of a specially constructed payload.

Patches

Fixed in Qiskit 1.4.2 and in Qiskit 2.0.0rc2

References

Affected packages

PyPI / qiskit

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.2
Introduced
2.0.0rc1
Fixed
2.0.0rc2

Affected versions

0.*
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10
0.3.11
0.3.12
0.3.13
0.3.14
0.3.15
0.3.16
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.4.10
0.4.11
0.4.12
0.4.13
0.4.14
0.4.15
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.6.0
0.6.1
0.7.0
0.7.1
0.7.2
0.7.3
0.8.0
0.8.1
0.9.0
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.11.0
0.11.1
0.11.2
0.12.0
0.12.1
0.12.2
0.13.0
0.14.0
0.14.1
0.15.0
0.16.0
0.16.1
0.16.2
0.17.0
0.18.0
0.18.1
0.18.2
0.18.3
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.19.5
0.19.6
0.20.0
0.20.1
0.21.0
0.22.0
0.23.0
0.23.1
0.23.2
0.23.3
0.23.4
0.23.5
0.23.6
0.24.0
0.24.1
0.25.0
0.25.1
0.25.2
0.25.3
0.25.4
0.26.0
0.26.1
0.26.2
0.27.0
0.28.0
0.29.0
0.29.1
0.30.0
0.30.1
0.31.0
0.32.0
0.32.1
0.33.0
0.33.1
0.34.0
0.34.1
0.34.2
0.35.0
0.36.0
0.36.1
0.36.2
0.37.0
0.37.1
0.37.2
0.38.0
0.39.0
0.39.1
0.39.2
0.39.3
0.39.4
0.39.5
0.40.0
0.41.0
0.41.1
0.42.0
0.42.1
0.43.0
0.43.1
0.43.2
0.43.3
0.44.0
0.44.1
0.44.2
0.44.3
0.45.0rc1
0.45.0
0.45.1
0.45.2
0.45.3
0.46.0
0.46.1
0.46.2
0.46.3
1.*
1.0.0b1
1.0.0rc1
1.0.0
1.0.1
1.0.2
1.1.0rc1
1.1.0
1.1.1
1.1.2
1.2.0rc1
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0b1
1.3.0rc1
1.3.0rc2
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.4.1
2.*
2.0.0rc1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/qiskit/PYSEC-2026-510.yaml"