CVE-2026-34444
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk45th percentile — higher than 45% of all known CVEs
Summary
Lupa integrates Lua or LuaJIT2 runtimes into CPython. In version 2.6 and earlier, the attribute filter is not consistently applied when attributes are accessed via built-in functions like getattr and setattr. This allows an attacker to bypass intended restrictions and eventually achieve arbitrary code execution.
Risk Assessment
The risk involves bypassing security mechanisms and gaining full system control, potentially leading to data theft, malware installation, or infrastructure compromise.
Recommendation
Immediately upgrade Lupa to version 2.7 or later, which includes a fix for this vulnerability. Also review attribute filter configurations in existing deployments.
Original NVD description (English source)
Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.

