PT-2026-50440 · Fgmacedo · Python-Statemachine
Vulncheck
·
Publicado
2026-06-17
·
Atualizado
2026-06-17
·
CVE-2026-47103
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
🚨Critical - Python StateMachine RCE via SCXML eval Injection (CVE-2026-47103)
The python-statemachine library evaluates expressions from SCXML documents unsafely. Attacker-controlled attributes are passed through the SCXMLProcessor call chain into Python's built-in eval() with no sandboxing, so a malicious SCXML document supplied to an application that parses it results in arbitrary Python code execution in the context of the hosting process.
The flaw is remotely exploitable with low complexity and requires no privileges or user interaction, making any service that ingests untrusted SCXML directly exposed.
👉Upgrade to python-statemachine 3.2.0.
Correção
RCE
Eval Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Python-Statemachine