Description
Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted `<data expr="...">` attributes evaluated unsafely. The SCXMLProcessor passes attacker-controlled expression strings through a call chain ending in Python's built-in eval() without sandboxing, enabling arbitrary code execution in the context of the hosting process.
Published: 2026-06-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Python StateMachine 3.x processes SCXML documents that include <data expr="..."> attributes. In affected versions, the expression string is passed directly to Python's eval() without sanitization. This allows an attacker to embed arbitrary Python code in a malicious SCXML file, leading to remote code execution in the context of the hosting application. The weakness is an unsafe expression evaluation, mapped to CWE‑95.

Affected Systems

The vulnerability exists in the open‑source Python library python‑statemachine maintained by fgmacedo. Users who are running versions 3.0.0 through 3.1.x are affected. Versions 3.2.0 and later mitigate the flaw.

Risk and Exploitability

The CVSS score is 9.3 (Critical), reflecting complete loss of confidentiality, integrity, and availability. EPSS is less than 1%, indicating the current exploitation probability is very low, but the lack of a KEV listing means no published exploit is known. The primary attack vector would likely be an attacker who can supply a crafted SCXML document to an application that loads it, such as via file upload, configuration, or network message. Because the vulnerability permits arbitrary code execution, the impact can be system‑wide if the hosting process runs with elevated privileges.

Generated by OpenCVE AI on June 18, 2026 at 20:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade python‑statemachine to version 3.2.0 or later, which removes the unsafe eval path.
  • Disallow SCXML documents from untrusted sources or replace the eval call with a safe parser, ensuring that only trusted data expr values are accepted.
  • If upgrading is not immediately possible, audit the application’s SCXML handling code to sandbox or eliminate the eval usage and validate all input before processing.

Generated by OpenCVE AI on June 18, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v4jc-pm6r-3vj8 python-statemachine SCXML <data expr> Eval Injection
History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted `<data expr="...">` attributes evaluated unsafely. The SCXMLProcessor passes attacker-controlled expression strings through a call chain ending in Python's built-in eval() without sandboxing, enabling arbitrary code execution in the context of the hosting process.
Title Python StateMachine 3.0.0 < 3.2.0 RCE via SCXML eval() Injection
Weaknesses CWE-95
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-18T14:31:25.241Z

Reserved: 2026-05-18T19:22:26.748Z

Link: CVE-2026-47103

cve-icon Vulnrichment

Updated: 2026-06-18T14:31:19.137Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:15:04Z

Weaknesses
  • CWE-95

    Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')