Tag

#SCXML

Critical Eval Injection Vulnerability in python-statemachine: CVE-2026-47103

A critical vulnerability (CVE-2026-47103) has been discovered in the python-statemachine library, specifically in versions 3.0.0 to 3.1.2. The vulnerability allows for arbitrary code execution due to the evaluation of `<data expr="...">` attributes in SCXML documents using Python's `eval()`. This is a CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability. The CVSS score for this vulnerability is 9.3, indicating a high severity. Organizations using affected versions should immediately upgrade to version 3.2.0 or apply mitigations.

Jun 18, 20261 source