PYSEC-2026-3029

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pyspector/PYSEC-2026-3029.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-3029
Aliases
Published
2026-07-13T14:36:43.604457Z
Modified
2026-07-13T16:33:10.065061284Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Stored XSS in PySpector HTML Report Generation leads to Javascript Code Execution
Details

Summary

PySpector versions <= 0.1.6 are affected by a stored Cross-Site Scripting (XSS) vulnerability in the HTML report generator. When PySpector scans a Python file containing JavaScript payloads (i.e. inside a string passed to eval() ), the flagged code snippet is interpolated into the HTML report without sanitization. Opening the generated report in a browser causes the embedded JavaScript to execute in the browser's local file context.

Impact

An attacker can craft a malicious Python file (for example, hosted in a public repository), designed to be scanned by PySpector. When a victim scans this file and opens the resulting HTML report, arbitrary JavaScript executes in their browser. While the file:// context limits the attacker's ability to exfiltrate cookies or make credentialed requests, the following is still achievable: - Arbitrary DOM manipulation - Redirects to attacker-controlled pages - Theft of locally accessible data via fetch() or XMLHttpRequest to file:// paths (browser-dependent)

Any user of PySpector who scans untrusted code and generates HTML reports, is potentially affected.

PoC

The following steps reproduce the vulnerability on PySpector <= 0.1.6: 1. Create a malicious Python file containing a JavaScript payload embedded in a string argument to eval(), and run PySpector against the file, generating an HTML report: <img width="871" height="752" alt="image" src="https://github.com/user-attachments/assets/1b0a57f2-3632-4347-a9b7-6a94dc2e82b2" /> 2. Open the generated HTML report in any browser: <img width="1920" height="920" alt="image" src="https://github.com/user-attachments/assets/a4075c4a-6153-41b4-ad77-81d009d7a9f8" />

References

Affected packages

PyPI / pyspector

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.1.7

Affected versions

0.*
0.1.1
0.1.2
0.1.3
0.1.4
0.1.4.post1
0.1.5
0.1.6

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pyspector/PYSEC-2026-3029.yaml"