An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.
js2py.disable_pyimport()
"https://github.com/pypa/advisory-database/blob/main/vulns/js2py/PYSEC-2026-1476.yaml"