CVE Catalog

CVE-2026-34444

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.61%

45th percentile — higher than 45% of all known CVEs

Summary

Lupa integrates Lua or LuaJIT2 runtimes into CPython. In version 2.6 and earlier, the attribute filter is not consistently applied when attributes are accessed via built-in functions like getattr and setattr. This allows an attacker to bypass intended restrictions and eventually achieve arbitrary code execution.

Risk Assessment

The risk involves bypassing security mechanisms and gaining full system control, potentially leading to data theft, malware installation, or infrastructure compromise.

Recommendation

Immediately upgrade Lupa to version 2.7 or later, which includes a fix for this vulnerability. Also review attribute filter configurations in existing deployments.

Original NVD description (English source)

Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS