EXECUTIVE SUMMARY:
CVE-2026-33140 :
PySpector versions ≤ 0.1.6 are affected by a stored Cross-Site Scripting (XSS) vulnerability in the HTML report generation feature due to improper sanitization of scanned code snippets. When a malicious Python file containing embedded JavaScript payloads is analyzed, the flagged content is directly injected into the generated HTML report. Upon opening the report in a browser, the embedded script executes within the local file context. This can allow attackers to manipulate the DOM, redirect users to malicious sites, or potentially access locally available data depending on browser behavior. CVSS Score: 5.3 (Moderate).
CVE-2026-33139:
PySpector versions ≤ 0.1.6 contain a security validation flaw in the plugin system that allows sandbox bypass due to incomplete AST analysis. The validation logic fails to detect indirect function calls, such as those using getattr(), causing malicious plugins to bypass security checks and be marked as trusted. When executed, these plugins can run arbitrary system commands on the host machine. This can result in full filesystem access, exposure of sensitive data, persistence, and potential lateral movement in privileged environments. CVSS Score: 8.3 (High).
RECOMMENDATION:
We strongly recommend you update PySpector to version 0.1.7.
REFERENCES:
The following reports contain further technical details: