CRITICAL
fgmacedo
CVE published 2026-06-17
CVE-2026-47103
CVE-2026-47103 is a remote code execution vulnerability in Python StateMachine versions 3.0.0 before 3.2.0. The vulnerability allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted <data expr=...> attributes evaluated unsafely. The SCXMLProcessor passes attacker-controlled expression strings through a call chain ending in Python's built-in eval() without sandb [truncated]