CVE-2026-41206

MEDIUM

PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code

Title source: cna

Description

PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. Prior to version 0.1.8, the blocklist implemented in `PluginSecurity.validate_plugin_code` is incomplete and can be bypassed using several Python constructs that are not checked. An attacker who can supply a plugin file can achieve arbitrary code execution within the PySpector process when that plugin is installed and executed. Version 0.1.8 fixes the issue.

References (3)

[X_Refsource_Confirm] https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-vp22-38m5-r39r

[X_Refsource_Misc] https://github.com/ParzivalHack/PySpector/commit/3c9547157fc07396f22b26b3484a9a91eba98555

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/ParzivalHack/PySpector/commit/4e279e078c53d760fd321ff9b698d683c65ccb8e

Scores

CVSS v4 6.9

EPSS 0.0002

EPSS Percentile 6.2%

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Details

CWE

CWE-184

Status published

Products (1)

ParzivalHack/PySpector < 0.1.8

Published Apr 23, 2026

Tracked Since Apr 23, 2026