Vulnerability Details CVE-2026-41206
PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. Prior to version 0.1.8, the blocklist implemented in `PluginSecurity.validate_plugin_code` is incomplete and can be bypassed using several Python constructs that are not checked. An attacker who can supply a plugin file can achieve arbitrary code execution within the PySpector process when that plugin is installed and executed. Version 0.1.8 fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 6.3%
CVSS Severity
References
- https://github.com/ParzivalHack/PySpector/commit/3c9547157fc07396f22b26b3484a9a91eba98555
- https://github.com/ParzivalHack/PySpector/commit/4e279e078c53d760fd321ff9b698d683c65ccb8e
- https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-vp22-38m5-r39r
- https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-vp22-38m5-r39r