PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47103 fgmacedo CVE debrief

CVE-2026-47103 is a remote code execution vulnerability in Python StateMachine versions 3.0.0 before 3.2.0. The vulnerability allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted <data expr=...> attributes evaluated unsafely. The SCXMLProcessor passes attacker-controlled expression strings through a call chain ending in Python's built-in eval() without sandboxing, enabling arbitrary code execution in the context of the hosting process. This vulnerability has a CVSS score of 9.3 and is considered CRITICAL.

Vendor
fgmacedo
Product
python-statemachine
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-18
Advisory published
2026-06-17
Advisory updated
2026-06-18

Who should care

Users of Python StateMachine versions 3.0.0 before 3.2.0 should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 3.2.0 or later, and validating and sanitizing SCXML documents before processing them. Operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability details and assess their exposure.

Technical summary

The vulnerability exists in the SCXMLProcessor of Python StateMachine, where it passes attacker-controlled expression strings through a call chain ending in Python's built-in eval() without sandboxing. This allows attackers to execute arbitrary code in the context of the hosting process by supplying malicious SCXML documents containing crafted <data expr=...> attributes. The affected product is Python StateMachine versions 3.0.0 before 3.2.0.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Python StateMachine version 3.2.0 or later
  • Validate and sanitize SCXML documents before processing them
  • Implement additional security measures such as sandboxing or input validation
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-06-17T15:16:58.460Z and was last modified on 2026-06-18T16:16:55.183Z. The NVD entry is currently Awaiting Analysis. This vulnerability affects Python StateMachine versions 3.0.0 before 3.2.0. Evidence is limited to CVE and NVD details. Defenders should verify SCXML document processing and evaluate potential exposure.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T15:16:58.460Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.