CVE-2026-31225

Name of the Vulnerable Software and Affected Versions superduper versions prior to 0.10.0

Description A remote code execution issue exists in the query parsing component. The parse op part() function in query.py utilizes the unsafe eval() function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. While the function attempts to limit the execution context via a restricted global namespace, it fails to block access to dangerous built-in functions. A remote attacker can submit a specially crafted query string containing Python code to import modules and execute arbitrary system commands, potentially leading to a complete server compromise.

Recommendations Update to a version later than 0.10.0. As a temporary workaround, restrict access to the parse op part() function until a patch is applied.