CVE-2026-34444
Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.
| CWE | CWE-284 CWE-639 |
| Vendor | scoder |
| Product | lupa |
| Published | Apr 6, 2026 |
| Last Updated | Apr 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for scoder lupa
Be the first to know when new unknown vulnerabilities affecting scoder lupa are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
scoder / lupa
<= 2.6