CVE-2026-33140

Name of the Vulnerable Software and Affected Versions PySpector versions prior to 0.1.7

Description PySpector, a static analysis security testing (SAST) Framework, is affected by a stored Cross-Site Scripting (XSS) issue in its HTML report generator. When scanning a Python file containing JavaScript payloads (for example, within a string passed to eval()), the flagged code snippet is included in the HTML report without proper sanitization. Opening the generated report in a browser causes the embedded JavaScript to execute within the browser’s local file context. An attacker can craft a malicious Python file and, when scanned by PySpector and opened by a victim, can achieve arbitrary DOM manipulation, redirects to attacker-controlled pages, and potential theft of locally accessible data. The eval() function is used to execute the JavaScript payload.

Recommendations Versions prior to 0.1.7 should be updated to version 0.1.7 or later.