CVE Catalog

CVE-2026-47103

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.80%

52th percentile — higher than 52% of all known CVEs

Summary

Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted `<data expr="...">` attributes.

Risk Assessment

An attacker can take control of the hosting process, leading to full system compromise, data theft, or further propagation of the attack within the network.

Recommendation

Immediately update the Python StateMachine library to version 3.2.0 or later, which fixes this vulnerability.

Original NVD description (English source)

Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted `<data expr="...">` attributes evaluated unsafely. The SCXMLProcessor passes attacker-controlled expression strings through a call chain ending in Python's built-in eval() without sandboxing, enabling arbitrary code execution in the context of the hosting process.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS