CVE-2026-33140

MEDIUM

PySpector: Stored XSS in PySpector HTML Report Generation leads to Javascript Code Execution

Title source: cna

Description

PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a stored Cross-Site Scripting (XSS) vulnerability in the HTML report generator. When PySpector scans a Python file containing JavaScript payloads (i.e. inside a string passed to eval() ), the flagged code snippet is interpolated into the HTML report without sanitization. Opening the generated report in a browser causes the embedded JavaScript to execute in the browser's local file context. This issue has been patched in version 0.1.7.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-2gmv-2r3v-jxj2

Scores

CVSS v3 6.1

EPSS 0.0001

EPSS Percentile 3.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

parzivalhack/pyspector < 0.1.7

ParzivalHack/PySpector < 0.1.7

pypi/pyspector 0 - 0.1.7PyPI

Published Mar 20, 2026

Tracked Since Mar 21, 2026