CVE-2026-47103

🚨Critical - Python StateMachine RCE via SCXML eval Injection (CVE-2026-47103)

The python-statemachine library evaluates expressions from SCXML documents unsafely. Attacker-controlled attributes are passed through the SCXMLProcessor call chain into Python's built-in eval() with no sandboxing, so a malicious SCXML document supplied to an application that parses it results in arbitrary Python code execution in the context of the hosting process.

The flaw is remotely exploitable with low complexity and requires no privileges or user interaction, making any service that ingests untrusted SCXML directly exposed.

👉Upgrade to python-statemachine 3.2.0.