CVE-2026-47103

Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted `<data expr="...">` attributes evaluated unsafely. The SCXMLProcessor passes attacker-controlled expression strings through a call chain ending in Python's built-in eval() without sandboxing, enabling arbitrary code execution in the context of the hosting process.
Configurations

Configuration 1 (hide)

cpe:2.3:a:fgmacedo:python_statemachine:*:*:*:*:*:python:*:*

History

08 Jul 2026, 03:30

Type Values Removed Values Added
First Time Fgmacedo
Fgmacedo python Statemachine
CPE cpe:2.3:a:fgmacedo:python_statemachine:*:*:*:*:*:python:*:*
References () https://github.com/fgmacedo/python-statemachine/releases/tag/v3.2.0 - () https://github.com/fgmacedo/python-statemachine/releases/tag/v3.2.0 - Release Notes
References () https://github.com/fgmacedo/python-statemachine/security/advisories/GHSA-v4jc-pm6r-3vj8 - () https://github.com/fgmacedo/python-statemachine/security/advisories/GHSA-v4jc-pm6r-3vj8 - Exploit, Vendor Advisory
References () https://www.vulncheck.com/advisories/python-statemachine-rce-via-scxml-eval-injection - () https://www.vulncheck.com/advisories/python-statemachine-rce-via-scxml-eval-injection - Third Party Advisory, VDB Entry
CWE CWE-94

18 Jun 2026, 16:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-17 15:16

Updated : 2026-07-08 03:30


NVD link : CVE-2026-47103

Mitre link : CVE-2026-47103

CVE.ORG link : CVE-2026-47103


JSON object : View

Products Affected

fgmacedo

  • python_statemachine
CWE
CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-94

Improper Control of Generation of Code ('Code Injection')