CVE-2026-33139
Published: 20 March 2026
Summary
CVE-2026-33139 is a high-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Parzivalhack Pyspector. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the specific validation bypass flaw in PySpector's plugin system, directly mitigating arbitrary command execution.
Enforces organizational policies to restrict or monitor user installation of untrusted plugins, preventing loading of malicious ones that bypass AST validation.
Deploys malicious code protection mechanisms to scan and block plugins containing indirect calls to dangerous APIs like os.system before or during execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Bypass in plugin validation enables arbitrary command execution via crafted Python plugin; requires user interaction to load malicious file (T1204.002) that runs via Python interpreter (T1059.006).
NVD Description
PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a security validation bypass in the plugin system. The validate_plugin_code() function in plugin_system.py, performs static AST analysis…
more
to block dangerous API calls before a plugin is trusted and executed. However, the internal resolve_name() helper only handles ast.Name and ast.Attribute node types, returning None for all others. When a plugin uses indirect function calls via getattr() (such as getattr(os, 'system')) the outer call's func node is of type ast.Call, causing resolve_name() to return None, and the security check to be silently skipped. The plugin incorrectly passes the trust workflow, and executes arbitrary system commands on the user's machine when loaded. This issue has been patched in version 0.1.7.
Deeper analysisAI
PySpector, a static analysis security testing (SAST) framework for modern Python development workflows, is affected by CVE-2026-33139 in versions 0.1.6 and prior. The vulnerability is a security validation bypass in the plugin system, specifically within the validate_plugin_code() function in plugin_system.py. This function performs static AST analysis to block dangerous API calls before trusting and executing a plugin. However, the internal resolve_name() helper only processes ast.Name and ast.Attribute node types, returning None for others. As a result, indirect function calls like getattr(os, 'system') produce an outer func node of type ast.Call, causing resolve_name() to return None, silently skipping the security check.
A local attacker with no privileges can exploit this issue by crafting a malicious plugin that uses indirect calls to bypass validation. The attacker requires user interaction, such as tricking the user into loading the plugin, which then incorrectly passes the trust workflow. Upon loading, the plugin executes arbitrary system commands on the user's machine, leading to high confidentiality, integrity, and availability impacts (CVSS 7.8: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). This is linked to CWE-184 (Incomplete List of Disallowed Inputs).
The GitHub security advisory at https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-v3xv-8vc3-h2m6 confirms the issue has been patched in PySpector version 0.1.7, recommending users upgrade to mitigate the vulnerability.
Details
- CWE(s)