Python Statemachine
Monthly
Remote code execution in python-statemachine 3.0.0 through 3.1.x allows attackers to run arbitrary Python in the host process by supplying a crafted SCXML document whose `<data expr="...">` attributes are passed unsandboxed to eval() inside SCXMLProcessor. Reported by VulnCheck with publicly available exploit code and a vendor advisory (GHSA-v4jc-pm6r-3vj8); no public exploit identified at time of analysis as actively in the wild, and the flaw is not listed in CISA KEV.
Remote code execution in python-statemachine 3.0.0 through 3.1.x allows attackers to run arbitrary Python in the host process by supplying a crafted SCXML document whose `<data expr="...">` attributes are passed unsandboxed to eval() inside SCXMLProcessor. Reported by VulnCheck with publicly available exploit code and a vendor advisory (GHSA-v4jc-pm6r-3vj8); no public exploit identified at time of analysis as actively in the wild, and the flaw is not listed in CISA KEV.