EXECUTIVE SUMMARY:
CVE-2026-47103 with a CVSS score of 9.3 is a critical remote code execution flaw in the python‑statemachine library (pip package) affecting versions where the SCXMLProcessor parses SCXML files. The vulnerability arises because the processor evaluates the `<data expr="…">` attribute using Python’s built‑in eval() without any sandbox, allowing attacker‑controlled expressions to be executed directly in the host process. An attacker can craft a malicious SCXML document containing a `<data expr>` element that runs arbitrary Python code; the attack vector is network‑delivered SCXML content, requiring no authentication, privileges, or user interaction. Successful exploitation yields full code execution with the same rights as the vulnerable application, enabling data theft, system manipulation, or deployment of ransomware. For organizations that ingest SCXML definitions from untrusted sources—such as configuration uploads, plugins, or remote services—the impact includes confidentiality, integrity, and availability loss, potentially disrupting critical workflows and breaching regulatory compliance. Exploitation is possible whenever the application loads unvalidated SCXML files into the SCXMLProcessor, making the presence of such input handling the primary prerequisite.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-47103 with a CVSS score of 9.3 is a critical remote code execution flaw in the python‑statemachine library (pip package) affecting versions where the SCXMLProcessor parses SCXML files. The vulnerability arises because the processor evaluates the `<data expr="…">` attribute using Python’s built‑in eval() without any sandbox, allowing attacker‑controlled expressions to be executed directly in the host process. An attacker can craft a malicious SCXML document containing a `<data expr>` element that runs arbitrary Python code; the attack vector is network‑delivered SCXML content, requiring no authentication, privileges, or user interaction. Successful exploitation yields full code execution with the same rights as the vulnerable application, enabling data theft, system manipulation, or deployment of ransomware. For organizations that ingest SCXML definitions from untrusted sources—such as configuration uploads, plugins, or remote services—the impact includes confidentiality, integrity, and availability loss, potentially disrupting critical workflows and breaching regulatory compliance. Exploitation is possible whenever the application loads unvalidated SCXML files into the SCXMLProcessor, making the presence of such input handling the primary prerequisite.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-v4jc-pm6r-3vj8