GHSA-VP22-38M5-R39R: CVE-2026-33139: Arbitrary Code Execution via Sandbox Bypass in PySpector Plugin Validation

CVE-2026-33139: Arbitrary Code Execution via Sandbox Bypass in PySpector Plugin Validation

Vulnerability ID: GHSA-VP22-38M5-R39R
CVSS Score: 7.8
Published: 2026-04-16

PySpector versions 0.1.6 and earlier contain a critical vulnerability in the plugin security validation system. An incomplete Abstract Syntax Tree (AST) analysis allows attackers to bypass the restrictive sandbox using indirect function calls. Successful exploitation leads to unauthenticated arbitrary code execution on the system running the static analysis scanner.

TL;DR

A fail-open logic flaw in PySpector's AST-based security scanner allows malicious plugins to execute arbitrary code. Attackers can bypass the blocked function list by wrapping dangerous API calls in dynamically resolved functions like getattr.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-184 / CWE-693
• Attack Vector: Local (via malicious plugin)
• CVSS v3.1: 7.8
• EPSS Score: 0.00023
• Impact: Arbitrary Code Execution
• Exploit Status: Proof of Concept Available

Affected Systems

• PySpector Plugin Validation Engine
• PySpector: <= 0.1.6 (Fixed in: 0.1.7)

Code Analysis

Commit: 771301e

Fix AST validation logic to handle ast.Call nodes recursively and expand dangerous calls blocklist.

@@ -143,6 +143,8 @@ def validate_plugin_code(plugin_path: Path) -> tuple[bool, str]:
             "exec",
             "compile",
             "__import__",
+            "vars",
+            "getattr", 
             "os.system",
             "os.popen",
@@ -184,6 +186,10 @@ def resolve_name(node: ast.AST) -> Optional[str]:
                     attrs.append(base)
                     attrs.reverse()
                     return ".".join(attrs)
+            if isinstance(node, ast.Call):
+                inner = resolve_name(node.func)
+                if inner:
+                    return inner
             return None

Exploit Details

• Security Researcher Write-up: Proof of concept demonstrating the use of getattr and vars to execute os.system commands, completely bypassing the AST plugin scanner.

Mitigation Strategies

• Upgrade PySpector to version 0.1.7 or later.
• Implement a manual source code review process for all custom plugins before using the --trust flag.
• Execute SAST scanning pipelines in isolated, ephemeral sandbox environments to limit the blast radius of arbitrary code execution.

Remediation Steps:

1. Identify all environments and CI/CD pipelines utilizing PySpector.
2. Update the pyspector dependency to >=0.1.7 in requirements.txt or equivalent package managers.
3. Audit existing installed plugins for suspicious usage of getattr, vars, or direct os/subprocess calls.

References

• GitHub Global Advisory GHSA-vp22-38m5-r39r
• Vendor Advisory GHSA-v3xv-8vc3-h2m6
• Technical Exploit Analysis by Shinigami81
• NVD Vulnerability Record
• Official PySpector Repository

---

Read the full report for GHSA-VP22-38M5-R39R on our website for more details including interactive diagrams and full exploit analysis.