Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The _parse_op_part() function in query.py uses the unsafe eval() function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although the function attempts to limit the execution context by providing a restricted global namespace, it does not block access to dangerous built-in functions. A remote attacker can exploit this by submitting a specially crafted query string containing Python code that imports modules (e.g., os) and executes arbitrary system commands, leading to complete compromise of the server.
AnalysisAI
Remote code execution in superduper (Python library) through version 0.10.0 allows unauthenticated network attackers to execute arbitrary system commands by submitting malicious query strings with embedded Python code. The _parse_op_part() function in query.py uses unsafe eval() with inadequate context restrictions, enabling attackers to import modules (such as os) and achieve complete server compromise. EPSS score is low (0.07%, 20th percentile) and no active exploitation is confirmed (CISA KEV absent), but SSVC framework rates technical impact as total. User interaction is required (CVSS UI:R), reducing automated exploitation risk. Authentication requirements not confirmed from available data - CVSS vector shows PR:N (no privileges required) but UI:R suggests user-triggered queries.
Technical ContextAI
This vulnerability stems from unsafe use of Python's eval() function for dynamic code evaluation, classified as CWE-94 (Improper Control of Generation of Code). The superduper project is a Python library for database and model management. The query.py module's _parse_op_part() function accepts user-supplied query operands and evaluates them as Python expressions using eval(). While the implementation attempts to provide a restricted global namespace to limit available functions, Python's introspection capabilities allow attackers to access built-in functions and import arbitrary modules. This breaks out of the intended sandbox, enabling import of dangerous modules like os, subprocess, or __import__ to execute system commands. The vulnerability exists in all versions through 0.10.0. CPE data is incomplete (shows generic n/a values), limiting precise product identification, though the superduper-io/superduper GitHub repository is confirmed as the affected project.
RemediationAI
Upgrade superduper to a version newer than 0.10.0 once a patched release becomes available - no vendor-released patch identified at time of analysis, and the provided references do not link to a specific fix commit or patched version number. Monitor the GitHub repository (https://github.com/superduper-io/superduper) for security updates addressing CVE-2026-31225. As immediate compensating controls: (1) Implement strict input validation on all query strings before they reach _parse_op_part(), whitelisting only safe operators and rejecting queries containing Python code constructs like import, __builtins__, exec, or eval (trade-off: may break legitimate advanced query functionality). (2) Run the superduper application in a sandboxed environment with restricted system call access using seccomp or AppArmor to limit impact of code execution (trade-off: complex configuration, may affect legitimate file/network operations). (3) Restrict network access to query endpoints to authenticated, trusted users only and do not expose query parsing interfaces to public APIs (trade-off: reduces functionality for untrusted users). (4) Replace eval() usage with ast.literal_eval() for parsing query operands if queries only require literal Python types rather than arbitrary expressions (trade-off: significantly restricts query expressiveness but eliminates code execution risk). Review application logs for suspicious query patterns containing keywords like import, os, subprocess, or __builtins__ as potential exploitation indicators.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29509
GHSA-2799-6g5r-mmc7