Description
PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a security validation bypass in the plugin system. The validate_plugin_code() function in plugin_system.py, performs static AST analysis to block dangerous API calls before a plugin is trusted and executed. However, the internal resolve_name() helper only handles ast.Name and ast.Attribute node types, returning None for all others. When a plugin uses indirect function calls via getattr() (such as getattr(os, 'system')) the outer call's func node is of type ast.Call, causing resolve_name() to return None, and the security check to be silently skipped. The plugin incorrectly passes the trust workflow, and executes arbitrary system commands on the user's machine when loaded. This issue has been patched in version 0.1.7.
Published: 2026-03-20
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution via plugin sandbox bypass
Action: Immediate Patch
AI Analysis

Impact

PySpector versions 0.1.6 and earlier contain a validation bypass in the plugin system. The validate_plugin_code() function performs static AST analysis to block dangerous API calls, but its internal name resolver only processes ast.Name and ast.Attribute nodes. When a plugin uses indirect calls such as getattr(os, 'system'), the function node is ast.Call and the resolver returns None, causing the security check to be skipped. The plugin is then trusted and executed, allowing arbitrary system commands to run on the host machine. This results in full code execution where the attacker can run any command with the privileges of the user running PySpector.

Affected Systems

The affected product is PySpector, developed by ParzivalHack. All releases 0.1.6 and earlier are vulnerable; the vulnerability was fixed in version 0.1.7.

Risk and Exploitability

The CVSS score of 8.3 reflects high severity, and the EPSS of less than 1% indicates a low but non-negligible exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a malicious plugin that uses indirect function calls; once loaded by an untrusted user or automated test environment, the plugin can execute arbitrary code with the privileges of the user running PySpector.

Generated by OpenCVE AI on March 24, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply PySpector version 0.1.7 or later, which contains a patch that correctly validates plugin code.
  • For environments that must continue using vulnerable versions, delete or rename any untrusted plugin files from the plugin directory to prevent accidental loading.
  • Verify the source of any plugin before adding it to the project, ensuring it comes from a trusted contributor and does not contain malicious code.

Generated by OpenCVE AI on March 24, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v3xv-8vc3-h2m6 PySpector has a Plugin Sandbox Bypass leads to Arbitrary Code Execution
History

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:parzivalhack:pyspector:*:*:*:*:*:python:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Parzivalhack
Parzivalhack pyspector
Vendors & Products Parzivalhack
Parzivalhack pyspector

Fri, 20 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a security validation bypass in the plugin system. The validate_plugin_code() function in plugin_system.py, performs static AST analysis to block dangerous API calls before a plugin is trusted and executed. However, the internal resolve_name() helper only handles ast.Name and ast.Attribute node types, returning None for all others. When a plugin uses indirect function calls via getattr() (such as getattr(os, 'system')) the outer call's func node is of type ast.Call, causing resolve_name() to return None, and the security check to be silently skipped. The plugin incorrectly passes the trust workflow, and executes arbitrary system commands on the user's machine when loaded. This issue has been patched in version 0.1.7.
Title PySpector: Plugin Sandbox Bypass leads to Arbitrary Code Execution
Weaknesses CWE-184
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Parzivalhack Pyspector
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T20:14:19.228Z

Reserved: 2026-03-17T20:35:49.929Z

Link: CVE-2026-33139

cve-icon Vulnrichment

Updated: 2026-03-20T20:14:14.817Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T20:16:48.917

Modified: 2026-03-24T15:06:10.547

Link: CVE-2026-33139

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:47Z

Weaknesses