CVE-2026-47103
CriticalCVSS 9.8Exploitation Probability (EPSS)
Elevated risk52th percentile — higher than 52% of all known CVEs
Summary
Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted `<data expr="...">` attributes.
Risk Assessment
An attacker can take control of the hosting process, leading to full system compromise, data theft, or further propagation of the attack within the network.
Recommendation
Immediately update the Python StateMachine library to version 3.2.0 or later, which fixes this vulnerability.
Original NVD description (English source)
Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted `<data expr="...">` attributes evaluated unsafely. The SCXMLProcessor passes attacker-controlled expression strings through a call chain ending in Python's built-in eval() without sandboxing, enabling arbitrary code execution in the context of the hosting process.

