Skip to main content

Lupa

1 CVEs product

Monthly

CVE-2026-34444 PyPI HIGH PATCH GHSA This Week

Arbitrary code execution in Lupa (Python-Lua integration library) versions ≤2.6 allows unauthenticated remote attackers to bypass attribute filtering controls via Python's getattr/setattr built-ins. The vulnerability enables attackers to circumvent sandbox restrictions designed to limit Lua runtime access to sensitive Python objects, ultimately achieving code execution in the CPython host process. EPSS data unavailable; no CISA KEV listing or public exploit identified at time of analysis, though exploitation complexity is low per CVSS vector (AC:L, PR:N).

RCE Authentication Bypass Lupa
NVD GitHub VulDB
CVSS 4.0
7.9
EPSS
0.1%
EPSS 0% CVSS 7.9
HIGH PATCH This Week

Arbitrary code execution in Lupa (Python-Lua integration library) versions ≤2.6 allows unauthenticated remote attackers to bypass attribute filtering controls via Python's getattr/setattr built-ins. The vulnerability enables attackers to circumvent sandbox restrictions designed to limit Lua runtime access to sensitive Python objects, ultimately achieving code execution in the CPython host process. EPSS data unavailable; no CISA KEV listing or public exploit identified at time of analysis, though exploitation complexity is low per CVSS vector (AC:L, PR:N).

RCE Authentication Bypass Lupa
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy