{
"document": {
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "National Cyber Security Centre",
"namespace": "https://www.ncsc.nl/"
},
"title": "CVE-2026-33139",
"tracking": {
"current_release_date": "2026-03-28T07:50:46.885616Z",
"generator": {
"date": "2026-02-17T15:00:00Z",
"engine": {
"name": "V.E.L.M.A",
"version": "1.7"
}
},
"id": "CVE-2026-33139",
"initial_release_date": "2026-03-18T17:08:16.123584Z",
"revision_history": [
{
"date": "2026-03-18T17:08:16.123584Z",
"number": "1",
"summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-18T17:08:27.995760Z",
"number": "2",
"summary": "NCSC Score created."
},
{
"date": "2026-03-19T11:40:06.910718Z",
"number": "3",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-19T11:40:09.350400Z",
"number": "4",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-20T20:25:48.882091Z",
"number": "5",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)."
},
{
"date": "2026-03-20T20:25:50.672176Z",
"number": "6",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-20T20:39:42.466843Z",
"number": "7",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (1).| CWES updated (1).| Unknown change."
},
{
"date": "2026-03-20T20:39:45.357761Z",
"number": "8",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-20T21:41:33.770569Z",
"number": "9",
"summary": "References created (1)."
},
{
"date": "2026-03-21T13:47:18.918449Z",
"number": "10",
"summary": "References removed (1)."
},
{
"date": "2026-03-21T15:23:17.763349Z",
"number": "11",
"summary": "Source connected.| CVE status created. (valid)| EPSS created."
},
{
"date": "2026-03-21T15:23:20.084294Z",
"number": "12",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-22T00:51:44.512492Z",
"number": "13",
"summary": "References created (1)."
},
{
"date": "2026-03-22T11:24:48.033239Z",
"number": "14",
"summary": "References removed (1)."
},
{
"date": "2026-03-23T00:53:54.266897Z",
"number": "15",
"summary": "References created (1)."
},
{
"date": "2026-03-23T05:15:51.229323Z",
"number": "16",
"summary": "References removed (1)."
},
{
"date": "2026-03-24T20:56:11.719573Z",
"number": "17",
"summary": "References created (1)."
},
{
"date": "2026-03-24T20:56:48.535185Z",
"number": "18",
"summary": "CVSS created.| Products created (1).| Product Identifiers created (1).| Exploits created (1)."
},
{
"date": "2026-03-24T20:57:09.935584Z",
"number": "19",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-28T07:50:40.550965Z",
"number": "20",
"summary": "NCSC Score updated."
}
],
"status": "interim",
"version": "20"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<0.1.7",
"product": {
"name": "vers:unknown/<0.1.7",
"product_id": "CSAFPID-5875873"
}
}
],
"category": "product_name",
"name": "PySpector"
}
],
"category": "vendor",
"name": "ParzivalHack"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<0.1.7",
"product": {
"name": "vers:unknown/<0.1.7",
"product_id": "CSAFPID-5902894",
"product_identification_helper": {
"cpe": "cpe:2.3:a:parzivalhack:pyspector:*:*:*:*:*:python:*:*"
}
}
}
],
"category": "product_name",
"name": "pyspector"
}
],
"category": "vendor",
"name": "parzivalhack"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33139",
"cwe": {
"id": "CWE-184",
"name": "Incomplete List of Disallowed Inputs"
},
"notes": [
{
"category": "description",
"text": "### Summary\nPySpector versions `<= 0.1.6` are affected by a security validation bypass in the plugin system. The `validate_plugin_code()` function in `plugin_system.py`, performs static AST analysis to block dangerous API calls before a plugin is trusted and executed. However, the `internal resolve_name()` helper only handles `ast.Name` and `ast.Attribute` node types, returning `None` for all others. When a plugin uses indirect function calls via `getattr()` (such as `getattr(os, 'system')`) the outer call's func node is of type `ast.Call`, causing `resolve_name()` to return `None`, and the security check to be silently skipped. The plugin incorrectly passes the trust workflow, and executes arbitrary system commands on the user's machine when loaded.\n\n### Impact\nAn attacker who can deliver a malicious plugin file to a PySpector user and convince them to install it, can achieve arbitrary code execution on the user's local machine. Exploitation requires the victim to explicitly run `pyspector plugin install --trust` on the malicious file (a deliberate multi-step action that meaningfully limits the attack surface compared to passive vulnerabilities). However, the bypass directly undermines the security guarantee that `validate_plugin_code()` is designed to provide. Once the plugin is trusted and executed, the following is achievable:\n- Full read/write access to the local filesystem\n- Exfiltration of sensitive data and environment variables (i.e. API keys, credentials, etc...)\n- Establishment of persistence mechanisms\n- Lateral movement in CI/CD environments where PySpector runs with elevated permissions (pre-commit hooks and scheduled scans)\n\nAny user of PySpector who installs third-party plugins outside the official repository is potentially affected.\n\n### PoC\nThe following steps reproduce the vulnerability on PySpector `<= 0.1.6`:\n1. Create a malicious plugin file that uses getattr-based indirect calls to bypass AST validation, and confirm the validator incorrectly marks it as safe:\n![\"image\"](\"https://github.com/user-attachments/assets/4de3a0d1-1c77-4454-ad10-2369d5ca9997\")
\n2. Run PySpector Plugin Validator module (this confirms the validator incorrectly marks the plugin as safe):\n![\"image\"](\"https://github.com/user-attachments/assets/3e3b9603-4d95-4a39-be97-4163f6639599\")
\n3. Install and trust the plugin through the normal PySpector workflow:\n\n`pyspector plugin install /tmp/evil_plugin.py --trust`\n4. Execute the plugin, during a scan:\n`pyspector scan /any/target --plugin evil`",
"title": "github - https://github.com/advisories/GHSA-v3xv-8vc3-h2m6"
},
{
"category": "description",
"text": "### Summary\nPySpector versions `<= 0.1.6` are affected by a security validation bypass in the plugin system. The `validate_plugin_code()` function in `plugin_system.py`, performs static AST analysis to block dangerous API calls before a plugin is trusted and executed. However, the `internal resolve_name()` helper only handles `ast.Name` and `ast.Attribute` node types, returning `None` for all others. When a plugin uses indirect function calls via `getattr()` (such as `getattr(os, 'system')`) the outer call's func node is of type `ast.Call`, causing `resolve_name()` to return `None`, and the security check to be silently skipped. The plugin incorrectly passes the trust workflow, and executes arbitrary system commands on the user's machine when loaded.\n\n### Impact\nAn attacker who can deliver a malicious plugin file to a PySpector user and convince them to install it, can achieve arbitrary code execution on the user's local machine. Exploitation requires the victim to explicitly run `pyspector plugin install --trust` on the malicious file (a deliberate multi-step action that meaningfully limits the attack surface compared to passive vulnerabilities). However, the bypass directly undermines the security guarantee that `validate_plugin_code()` is designed to provide. Once the plugin is trusted and executed, the following is achievable:\n- Full read/write access to the local filesystem\n- Exfiltration of sensitive data and environment variables (i.e. API keys, credentials, etc...)\n- Establishment of persistence mechanisms\n- Lateral movement in CI/CD environments where PySpector runs with elevated permissions (pre-commit hooks and scheduled scans)\n\nAny user of PySpector who installs third-party plugins outside the official repository is potentially affected.\n\n### PoC\nThe following steps reproduce the vulnerability on PySpector `<= 0.1.6`:\n1. Create a malicious plugin file that uses getattr-based indirect calls to bypass AST validation, and confirm the validator incorrectly marks it as safe:\n\n2. Run PySpector Plugin Validator module (this confirms the validator incorrectly marks the plugin as safe):\n\n3. Install and trust the plugin through the normal PySpector workflow:\n\n`pyspector plugin install /tmp/evil_plugin.py --trust`\n4. Execute the plugin, during a scan:\n`pyspector scan /any/target --plugin evil`",
"title": "github - https://api.github.com/advisories/GHSA-v3xv-8vc3-h2m6"
},
{
"category": "description",
"text": "PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a security validation bypass in the plugin system. The validate_plugin_code() function in plugin_system.py, performs static AST analysis to block dangerous API calls before a plugin is trusted and executed. However, the internal resolve_name() helper only handles ast.Name and ast.Attribute node types, returning None for all others. When a plugin uses indirect function calls via getattr() (such as getattr(os, 'system')) the outer call's func node is of type ast.Call, causing resolve_name() to return None, and the security check to be silently skipped. The plugin incorrectly passes the trust workflow, and executes arbitrary system commands on the user's machine when loaded. This issue has been patched in version 0.1.7.",
"title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33139"
},
{
"category": "description",
"text": "PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a security validation bypass in the plugin system. The validate_plugin_code() function in plugin_system.py, performs static AST analysis to block dangerous API calls before a plugin is trusted and executed. However, the internal resolve_name() helper only handles ast.Name and ast.Attribute node types, returning None for all others. When a plugin uses indirect function calls via getattr() (such as getattr(os, 'system')) the outer call's func node is of type ast.Call, causing resolve_name() to return None, and the security check to be silently skipped. The plugin incorrectly passes the trust workflow, and executes arbitrary system commands on the user's machine when loaded. This issue has been patched in version 0.1.7.",
"title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33139.json"
},
{
"category": "other",
"text": "0.00025",
"title": "EPSS"
},
{
"category": "other",
"text": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
},
{
"category": "other",
"text": "8.3",
"title": "CVSSV4 base score"
},
{
"category": "other",
"text": "3.8",
"title": "NCSC Score"
},
{
"category": "other",
"text": "Exploit code publicly available, There is exploit data available from source Nvd, The value of the most recent EPSS score",
"title": "NCSC Score top decreasing factors"
}
],
"product_status": {
"known_affected": [
"CSAFPID-5875873",
"CSAFPID-5902894"
]
},
"references": [
{
"category": "external",
"summary": "Source - github",
"url": "https://github.com/advisories/GHSA-v3xv-8vc3-h2m6"
},
{
"category": "external",
"summary": "Source raw - github",
"url": "https://api.github.com/advisories/GHSA-v3xv-8vc3-h2m6"
},
{
"category": "external",
"summary": "Source - github",
"url": "https://api.github.com/advisories/GHSA-v3xv-8vc3-h2m6"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33139"
},
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33139.json"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd",
"url": "https://github.com/ParzivalHack/PySpector/security/advisories/GHSA-v3xv-8vc3-h2m6"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://github.com/advisories/GHSA-v3xv-8vc3-h2m6"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33139"
}
],
"scores": [
{
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"baseScore": 7.8,
"baseSeverity": "HIGH"
},
"products": [
"CSAFPID-5875873",
"CSAFPID-5902894"
]
}
],
"title": "CVE-2026-33139"
}
]
}