CVE-2026-41206

UNKNOWN 0.0

PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. Prior to version 0.1.8, the blocklist implemented in `PluginSecurity.validate_plugin_code` is incomplete and can be bypassed using several Python constructs that are not checked. An attacker who can supply a plugin file can achieve arbitrary code execution within the PySpector process when that plugin is installed and executed. Version 0.1.8 fixes the issue.

CWE	CWE-184
Vendor	parzivalhack
Product	pyspector
Published	Apr 23, 2026

Stay Ahead of the Next One

Get instant alerts for parzivalhack pyspector

Be the first to know when new unknown vulnerabilities affecting parzivalhack pyspector are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

ParzivalHack / PySpector

< 0.1.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-vp22-38m5-r39r github.com: https://github.com/ParzivalHack/PySpector/commit/3c9547157fc07396f22b26b3484a9a91eba98555 github.com: https://github.com/ParzivalHack/PySpector/commit/4e279e078c53d760fd321ff9b698d683c65ccb8e