PatchSiren cyber security CVE debrief
CVE-2026-47103 fgmacedo CVE debrief
CVE-2026-47103 is a remote code execution vulnerability in Python StateMachine versions 3.0.0 before 3.2.0. The vulnerability allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted <data expr=...> attributes evaluated unsafely. The SCXMLProcessor passes attacker-controlled expression strings through a call chain ending in Python's built-in eval() without sandboxing, enabling arbitrary code execution in the context of the hosting process. This vulnerability has a CVSS score of 9.3 and is considered CRITICAL.
- Vendor
- fgmacedo
- Product
- python-statemachine
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-18
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-18
Who should care
Users of Python StateMachine versions 3.0.0 before 3.2.0 should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 3.2.0 or later, and validating and sanitizing SCXML documents before processing them. Operators, platform administrators, vulnerability management teams, and security teams should review the vulnerability details and assess their exposure.
Technical summary
The vulnerability exists in the SCXMLProcessor of Python StateMachine, where it passes attacker-controlled expression strings through a call chain ending in Python's built-in eval() without sandboxing. This allows attackers to execute arbitrary code in the context of the hosting process by supplying malicious SCXML documents containing crafted <data expr=...> attributes. The affected product is Python StateMachine versions 3.0.0 before 3.2.0.
Defensive priority
High
Recommended defensive actions
- Upgrade to Python StateMachine version 3.2.0 or later
- Validate and sanitize SCXML documents before processing them
- Implement additional security measures such as sandboxing or input validation
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-06-17T15:16:58.460Z and was last modified on 2026-06-18T16:16:55.183Z. The NVD entry is currently Awaiting Analysis. This vulnerability affects Python StateMachine versions 3.0.0 before 3.2.0. Evidence is limited to CVE and NVD details. Defenders should verify SCXML document processing and evaluate potential exposure.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T15:16:58.460Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.