Skip to main content

superduper CVE-2026-31225

| EUVDEUVD-2026-29509 HIGH
Code Injection (CWE-94)
2026-05-12 mitre GHSA-2799-6g5r-mmc7
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 13, 2026 - 15:56 vuln.today
CVSS changed
May 13, 2026 - 15:52 NVD
8.8 (None) 8.8 (HIGH)
CVE Published
May 12, 2026 - 00:00 nvd
HIGH 8.8
CVE Published
May 12, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The _parse_op_part() function in query.py uses the unsafe eval() function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although the function attempts to limit the execution context by providing a restricted global namespace, it does not block access to dangerous built-in functions. A remote attacker can exploit this by submitting a specially crafted query string containing Python code that imports modules (e.g., os) and executes arbitrary system commands, leading to complete compromise of the server.

AnalysisAI

Remote code execution in superduper (Python library) through version 0.10.0 allows unauthenticated network attackers to execute arbitrary system commands by submitting malicious query strings with embedded Python code. The _parse_op_part() function in query.py uses unsafe eval() with inadequate context restrictions, enabling attackers to import modules (such as os) and achieve complete server compromise. EPSS score is low (0.07%, 20th percentile) and no active exploitation is confirmed (CISA KEV absent), but SSVC framework rates technical impact as total. User interaction is required (CVSS UI:R), reducing automated exploitation risk. Authentication requirements not confirmed from available data - CVSS vector shows PR:N (no privileges required) but UI:R suggests user-triggered queries.

Technical ContextAI

This vulnerability stems from unsafe use of Python's eval() function for dynamic code evaluation, classified as CWE-94 (Improper Control of Generation of Code). The superduper project is a Python library for database and model management. The query.py module's _parse_op_part() function accepts user-supplied query operands and evaluates them as Python expressions using eval(). While the implementation attempts to provide a restricted global namespace to limit available functions, Python's introspection capabilities allow attackers to access built-in functions and import arbitrary modules. This breaks out of the intended sandbox, enabling import of dangerous modules like os, subprocess, or __import__ to execute system commands. The vulnerability exists in all versions through 0.10.0. CPE data is incomplete (shows generic n/a values), limiting precise product identification, though the superduper-io/superduper GitHub repository is confirmed as the affected project.

RemediationAI

Upgrade superduper to a version newer than 0.10.0 once a patched release becomes available - no vendor-released patch identified at time of analysis, and the provided references do not link to a specific fix commit or patched version number. Monitor the GitHub repository (https://github.com/superduper-io/superduper) for security updates addressing CVE-2026-31225. As immediate compensating controls: (1) Implement strict input validation on all query strings before they reach _parse_op_part(), whitelisting only safe operators and rejecting queries containing Python code constructs like import, __builtins__, exec, or eval (trade-off: may break legitimate advanced query functionality). (2) Run the superduper application in a sandboxed environment with restricted system call access using seccomp or AppArmor to limit impact of code execution (trade-off: complex configuration, may affect legitimate file/network operations). (3) Restrict network access to query endpoints to authenticated, trusted users only and do not expose query parsing interfaces to public APIs (trade-off: reduces functionality for untrusted users). (4) Replace eval() usage with ast.literal_eval() for parsing query operands if queries only require literal Python types rather than arbitrary expressions (trade-off: significantly restricts query expressiveness but eliminates code execution risk). Review application logs for suspicious query patterns containing keywords like import, os, subprocess, or __builtins__ as potential exploitation indicators.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-31225 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy