Description
PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a stored Cross-Site Scripting (XSS) vulnerability in the HTML report generator. When PySpector scans a Python file containing JavaScript payloads (i.e. inside a string passed to eval() ), the flagged code snippet is interpolated into the HTML report without sanitization. Opening the generated report in a browser causes the embedded JavaScript to execute in the browser's local file context. This issue has been patched in version 0.1.7.
Published: 2026-03-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS enabling local JavaScript execution
Action: Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists in PySpector’s HTML report generation. When a Python file containing JavaScript code inside a string passed to eval() is scanned, the discovered snippet is inserted into the generated HTML report without sanitization. Viewing that report in a browser causes the embedded JavaScript to execute in the browser’s local file context, allowing an attacker to run arbitrary scripts on the victim’s machine.

Affected Systems

The vulnerability affects all ParzivalHack PySpector releases up to and including version 0.1.6. Version 0.1.7 and later contain the fix.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score of less than 1% shows a low likelihood of active exploitation, and the issue is not listed in the CISA KEV catalog. Exploitation would require an attacker to craft a Python source file with malicious JavaScript, have PySpector generate an HTML report incorporating that file, and then have a user open the resulting report in a browser. The attack is local to the environment that views the report. Prevention hinges on applying the vendor patch and treating generated reports as potentially unsafe content.

Generated by OpenCVE AI on March 24, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PySpector to version 0.1.7 or later.

Generated by OpenCVE AI on March 24, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2gmv-2r3v-jxj2 Stored XSS in PySpector HTML Report Generation leads to Javascript Code Execution
History

Tue, 24 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:parzivalhack:pyspector:*:*:*:*:*:python:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Parzivalhack
Parzivalhack pyspector
Vendors & Products Parzivalhack
Parzivalhack pyspector

Fri, 20 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a stored Cross-Site Scripting (XSS) vulnerability in the HTML report generator. When PySpector scans a Python file containing JavaScript payloads (i.e. inside a string passed to eval() ), the flagged code snippet is interpolated into the HTML report without sanitization. Opening the generated report in a browser causes the embedded JavaScript to execute in the browser's local file context. This issue has been patched in version 0.1.7.
Title PySpector: Stored XSS in PySpector HTML Report Generation leads to Javascript Code Execution
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Parzivalhack Pyspector
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:55:00.491Z

Reserved: 2026-03-17T20:35:49.929Z

Link: CVE-2026-33140

cve-icon Vulnrichment

Updated: 2026-03-24T18:54:57.369Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T20:16:49.077

Modified: 2026-03-24T21:17:03.283

Link: CVE-2026-33140

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:34:46Z

Weaknesses