CVE-2026-33140

Description

PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a stored Cross-Site Scripting (XSS) vulnerability in the HTML report generator. When PySpector scans a Python file containing JavaScript payloads (i.e. inside a string passed to eval() ), the flagged code snippet is interpolated into the HTML report without sanitization. Opening the generated report in a browser causes the embedded JavaScript to execute in the browser's local file context. This issue has been patched in version 0.1.7.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:parzivalhack:pyspector:*:*:*:*:*:python:*:* - VULNERABLE

PySpector <= 0.1.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Create a malicious Python file to be scanned by PySpector
# PoC: Malicious code inside a string passed to eval()

def analyze_data():
    malicious_input = '<img src=x onerror=alert(1)>'
    # PySpector may flag this eval usage and include the string in the report
    return eval(malicious_input)

# When PySpector scans this file and generates the HTML report,
# the '<img src=x onerror=alert(1)>' string may be injected without sanitization.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33140
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33140
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33140/
[4] VulDB https://vuldb.com/cve/CVE-2026-33140
[5] https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-2gmv-2r3v-jxj2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33140", "sourceIdentifier": "[email protected]", "published": "2026-03-20T20:16:49.077", "lastModified": "2026-03-24T21:17:03.283", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a stored Cross-Site Scripting (XSS) vulnerability in the HTML report generator. When PySpector scans a Python file containing JavaScript payloads (i.e. inside a string passed to eval() ), the flagged code snippet is interpolated into the HTML report without sanitization. Opening the generated report in a browser causes the embedded JavaScript to execute in the browser's local file context. This issue has been patched in version 0.1.7."}, {"lang": "es", "value": "PySpector es un Framework de pruebas de seguridad de análisis estático (SAST) diseñado para flujos de trabajo de desarrollo de Python modernos. Las versiones 0.1.6 y anteriores de PySpector están afectadas por una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en el generador de informes HTML. Cuando PySpector escanea un archivo Python que contiene cargas útiles de JavaScript (es decir, dentro de una cadena pasada a eval() ), el fragmento de código marcado se intercala en el informe HTML sin sanitización. Abrir el informe generado en un navegador hace que el JavaScript incrustado se ejecute en el contexto de archivo local del navegador. Este problema ha sido parcheado en la versión 0.1.7."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:parzivalhack:pyspector:*:*:*:*:*:python:*:*", "versionEndExcluding": "0.1.7", "matchCriteriaId": "1C1B240D-CB1E-449D-8AB2-83C1E9D6B316"}]}]}], "references": [{"url": "https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-2gmv-2r3v-jxj2", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}