PT-2026-59696 · Pypi · Superduper-Framework

Publicado

2026-07-13

·

Atualizado

2026-07-13

CVSS v3.1

8.8

Alta

VetorAV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The parse op part() function in query.py uses the unsafe eval() function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although the function attempts to limit the execution context by providing a restricted global namespace, it does not block access to dangerous built-in functions. A remote attacker can exploit this by submitting a specially crafted query string containing Python code that imports modules (e.g., os) and executes arbitrary system commands, leading to complete compromise of the server.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Identificadores relacionados

PYSEC-2026-3077

Produtos afetados

Superduper-Framework