CVE-2026-31225

HIGH

superduper <=0.10.0 Query Parser - Remote Code Execution

Title source: manual

Description

The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The _parse_op_part() function in query.py uses the unsafe eval() function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although the function attempts to limit the execution context by providing a restricted global namespace, it does not block access to dangerous built-in functions. A remote attacker can exploit this by submitting a specially crafted query string containing Python code that imports modules (e.g., os) and executes arbitrary system commands, leading to complete compromise of the server.

References (2)

Core 2

Core References

https://github.com/superduper-io/superduper

https://www.notion.so/CVE-2026-31225-35d1e1393188814f99b5eec7b6517190

Scores

CVSS v3 8.8

EPSS 0.0021

EPSS Percentile 43.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

pypi/superduper-framework 0 - 0.10.0PyPI

Published May 12, 2026

Tracked Since May 12, 2026