CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2000 – Qiskit SDK code execution
https://notcve.org/view.php?id=CVE-2025-2000
14 Mar 2025 — A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats < 13. A python process calling Qiskit 0.18.0 through 1.4.1's `qiskit.qpy.load()` function could potentially execute any arbitrary Python code embedded in the correct place in the binary file as part of specially constructed payload. • https://www.ibm.com/support/pages/node/7185949 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1403 – Qiskit SDK denial of service
https://notcve.org/view.php?id=CVE-2025-1403
21 Feb 2025 — Qiskit SDK 0.45.0 through 1.2.4 could allow a remote attacker to cause a denial of service using a maliciously crafted QPY file containing a malformed symengine serialization stream which can cause a segfault within the symengine library. • https://www.ibm.com/support/pages/node/7183868 • CWE-502: Deserialization of Untrusted Data •