Quantum-Safe Code Auditing: LLM-Assisted Static Analysis and Quantum-Aware Risk Scoring for Post-Quantum Cryptography Migration

The impending arrival of cryptographically relevant quantum computers CRQCs threatens the security foundations of modern software: Shor's algorithm breaks RSA, ECDSA, ECDH, and Diffie-Hellman, while Grover's algorithm reduces the effective security of symmetric and hash-based schemes. Despite NIS...

Secure Quantum Communication: Simulation and Analysis of Quantum Key Distribution Protocols

Quantum computing poses significant threats to conventional cryptographic techniques such as RSA and AES, motivating the need for quantum secure communication methods. Quantum Key Distribution QKD offers information theoretic security based on fundamental quantum principles. This paper presents a...

QSpy: A Quantum RAT for Circuit Spying and IP Theft

As quantum computing platforms increasingly adopt cloud-based execution, users submit quantum circuits to remote compilers and backends, trusting that what they submit is exactly what will be run. This shift introduces new trust assumptions in the submission pipeline, which remain largely...

CVE-2025-1403

Qiskit SDK 0.45.0 through 1.2.4 could allow a remote attacker to cause a denial of service using a maliciously crafted QPY file containing a malformed symengine serialization stream which can cause a segfault within the symengine library...

EUVD-2025-4473

Malicious code in bioql PyPI...

EUVD-2024-1034

Malicious code in bioql PyPI...

EUVD-2025-6417

Malicious code in bioql PyPI...

CVE-2024-29032

Qiskit IBM Runtime is an environment that streamlines quantum computations and provides optimal implementations of the Qiskit quantum computing SDK. Starting in version 0.1.0 and prior to version 0.21.2, deserializing json data using qiskitibmruntime.RuntimeDecoder can lead to arbitrary code...

Security Bulletin: Qiskit SDK Vulnerability Allows Remote Attackers to Cause Denial of Service via Maliciously Crafted QPY File

Summary A maliciously crafted QPY file containing a malformed symengine serialization stream as part of the larger QPY serialization of a ParameterExpression object can cause a segfault within the symengine library, allowing an attacker to terminate the hosting process. Vulnerability Details...

Arbitrary Code Execution (ACE)

Qiskit is vulnerable to Arbitrary Code Execution ACE. The vulnerability is due to unsafe deserialization in the qiskit.qpy.load function, which allows a maliciously crafted QPY file to execute embedded Python code without privilege escalation...

CVE-2025-2000

A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats 13. A python process calling Qiskit 0.18.0 through 1.4.1's qiskit.qpy.load function could potentially execute any arbitrary Python code embedded...

Deserialization of Untrusted Data

Overview qiskit-terra is a Software for developing quantum computing programs Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the qiskit.qpy.load function. An attacker can execute arbitrary code by crafting a malicious QPY file and loading it via this...

acquantum-qiskit (>=0.0.1 <=0.0.3), aer-plugin (>=0.0.1 <=0.0.2) +161 more potentially affected by CVE-2025-2000 via qiskit (>=0.18.3 <=1.4.0)

qiskit PYPI version =0.18.3, =0.0.1, =0.0.1, =0.1.0, =0.1.4, =0.1.4, =0.0.1, =0.6.0, =0.0.0, =2.0.0, =0.0.3, =0.0.2, =0.1.0, =0.1.0.3 and more Source cves: CVE-2025-2000 Source advisory: SNYK:PYTHON-QISKIT-9459043...

Deserialization of Untrusted Data

Overview qiskit is an An open-source SDK for working with quantum computers at the level of extended quantum circuits, operators, and primitives. Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the qiskit.qpy.load function. An attacker can execute...

Qiskit allows arbitrary code execution decoding QPY format versions < 13

Impact A maliciously crafted QPY file can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserializing QPY formats 13. A python process calling Qiskit's qiskit.qpy.load function could potentially execute any arbitrary Python code embedded in the corre...

GHSA-3PWP-2FQJ-6G2P Duplicate Advisory: Qiskit allows arbitrary code execution decoding QPY format versions < 13

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6m2c-76ff-6vrf. This link is maintained to preserve external references. Original Description A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege...

Duplicate Advisory: Qiskit allows arbitrary code execution decoding QPY format versions < 13

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6m2c-76ff-6vrf. This link is maintained to preserve external references. Original Description A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege...

Security Bulletin: Arbitrary QPY Execution in Qiskit SDK QPY Deserialization < 13

Summary A maliciously crafted QPY payload can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY format versions 13. A Python process calling Qiskit's qiskit.qpy.load function could potentially execute any arbitrary Python code embedded in...

CVE-2025-2000

A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats 13. A python process calling Qiskit 0.18.0 through 1.4.1's qiskit.qpy.load function could potentially execute any arbitrary Python code embedded ...

CVE-2025-2000

A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats 13. A python process calling Qiskit 0.18.0 through 1.4.1's qiskit.qpy.load function could potentially execute any arbitrary Python code embedded ...