PT-2026-59651 · Pypi · Pyspector
Publicado
2026-07-13
·
Atualizado
2026-07-13
CVSS v4.0
5.3
Média
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Summary
PySpector versions
<= 0.1.6 are affected by a stored Cross-Site Scripting (XSS) vulnerability in the HTML report generator. When PySpector scans a Python file containing JavaScript payloads (i.e. inside a string passed to eval() ), the flagged code snippet is interpolated into the HTML report without sanitization. Opening the generated report in a browser causes the embedded JavaScript to execute in the browser's local file context.Impact
An attacker can craft a malicious Python file (for example, hosted in a public repository), designed to be scanned by PySpector. When a victim scans this file and opens the resulting HTML report, arbitrary JavaScript executes in their browser. While the
file:// context limits the attacker's ability to exfiltrate cookies or make credentialed requests, the following is still achievable:- Arbitrary DOM manipulation
- Redirects to attacker-controlled pages
- Theft of locally accessible data via
fetch()orXMLHttpRequesttofile://paths (browser-dependent)
Any user of PySpector who scans untrusted code and generates HTML reports, is potentially affected.
PoC
The following steps reproduce the vulnerability on PySpector
<= 0.1.6:- Create a malicious Python file containing a JavaScript payload embedded in a string argument to
eval(), and run PySpector against the file, generating an HTML report: - Open the generated HTML report in any browser:
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Pyspector