Vulnerabilities (CVE)

Filtered by vendor Fgmacedo Subscribe
Filtered by product Python Statemachine
Total 1 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2026-47103 1 Fgmacedo 1 Python Statemachine 2026-07-08 N/A 9.8 CRITICAL
Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted `<data expr="...">` attributes evaluated unsafely. The SCXMLProcessor passes attacker-controlled expression strings through a call chain ending in Python's built-in eval() without sandboxing, enabling arbitrary code execution in the context of the hosting process.