Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted `<data expr="...">` attributes evaluated unsafely. The SCXMLProcessor passes attacker-controlled expression strings through a call chain ending in Python's built-in eval() without sandboxing, enabling arbitrary code execution in the context of the hosting process.
References
| Link | Resource |
|---|---|
| https://github.com/fgmacedo/python-statemachine/releases/tag/v3.2.0 | Release Notes |
| https://github.com/fgmacedo/python-statemachine/security/advisories/GHSA-v4jc-pm6r-3vj8 | Exploit Vendor Advisory |
| https://www.vulncheck.com/advisories/python-statemachine-rce-via-scxml-eval-injection | Third Party Advisory VDB Entry |
| https://github.com/fgmacedo/python-statemachine/security/advisories/GHSA-v4jc-pm6r-3vj8 | Exploit Vendor Advisory |
Configurations
History
08 Jul 2026, 03:30
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Fgmacedo
Fgmacedo python Statemachine |
|
| CPE | cpe:2.3:a:fgmacedo:python_statemachine:*:*:*:*:*:python:*:* | |
| References | () https://github.com/fgmacedo/python-statemachine/releases/tag/v3.2.0 - Release Notes | |
| References | () https://github.com/fgmacedo/python-statemachine/security/advisories/GHSA-v4jc-pm6r-3vj8 - Exploit, Vendor Advisory | |
| References | () https://www.vulncheck.com/advisories/python-statemachine-rce-via-scxml-eval-injection - Third Party Advisory, VDB Entry | |
| CWE | CWE-94 |
18 Jun 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-17 15:16
Updated : 2026-07-08 03:30
NVD link : CVE-2026-47103
Mitre link : CVE-2026-47103
CVE.ORG link : CVE-2026-47103
JSON object : View
Products Affected
fgmacedo
- python_statemachine
