GHSA-v4jc-pm6r-3vj8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-v4jc-pm6r-3vj8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-v4jc-pm6r-3vj8/GHSA-v4jc-pm6r-3vj8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-v4jc-pm6r-3vj8
- Aliases
-
- CVE-2026-47103
- Published
- 2026-06-18T14:28:02Z
- Modified
- 2026-06-18T14:30:10.300269610Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- python-statemachine SCXML <data expr> Eval Injection
- Details
-
Summary
python-statemachine 3.1.2 evaluates
<data expr="...">attributes in SCXML documents using Python'seval(). Any application that passes attacker-controlled SCXML content toSCXMLProcessoris vulnerable to arbitrary code execution in the context of the hosting process.Details
SCXMLProcessor.parse_scxml_file()processes SCXML documents and evaluates<data>elementexprattributes via the following call chain:SCXMLProcessor.parse_scxml_file() SCXMLProcessor.process_definition() create_datamodel_action_callable() _create_dataitem_callable() _eval() eval()_eval()calls Python's built-ineval()directly on the expression string without sandboxing or restriction.PoC
1. Install: pip install python-statemachine==3.1.2 2. Create an SCXML file containing: <data id="x" expr="__import__('pathlib').Path('marker.txt').write_text('pwned')"/> 3. Run: SCXMLProcessor.parse_scxml_file(DATA_EXPR_CHART) SCXMLProcessor.start() 4. During start(), <data expr> reaches _eval(), which calls eval(). 5. Result: data_marker_before_start: False data_marker_after_start: True success: TrueImpact
This is an eval injection vulnerability (CWE-95). Remote or local code execution depending on whether the consuming application accepts SCXML content from remote users, uploaded files, configuration, plugins, or other untrusted sources.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-06-18T14:28:02Z", "nvd_published_at": "2026-06-17T15:16:58Z", "severity": "CRITICAL", "cwe_ids": [ "CWE-95" ] }- References
-
- https://github.com/fgmacedo/python-statemachine/security/advisories/GHSA-v4jc-pm6r-3vj8
- https://nvd.nist.gov/vuln/detail/CVE-2026-47103
- https://github.com/fgmacedo/python-statemachine
- https://github.com/fgmacedo/python-statemachine/releases/tag/v3.2.0
- https://www.vulncheck.com/advisories/python-statemachine-rce-via-scxml-eval-injection
Affected packages
PyPI / python-statemachine
Package
- Name
- python-statemachine
- View open source insights on deps.dev
- Purl
- pkg:pypi/python-statemachine