Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33140 is a stored Cross-Site Scripting (XSS) vulnerability in PySpector versions 0.1.6 and earlier, specifically in its HTML report generator.'}, {'type': 'paragraph', 'content': 'When PySpector scans a Python file containing JavaScript payloads inside strings passed to eval(), the flagged code snippet is inserted directly into the generated HTML report without any sanitization.'}, {'type': 'paragraph', 'content': "Opening this HTML report in a browser causes the embedded JavaScript to execute in the browser's local file context, allowing arbitrary JavaScript code execution."}, {'type': 'paragraph', 'content': 'This means an attacker can craft a malicious Python file that, when scanned by a victim using PySpector, results in an HTML report executing attacker-controlled JavaScript.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in PySpector version 0.1.7.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the local file system when a user opens the generated HTML report.

While the local file context restricts some actions like stealing cookies or making credentialed requests, the attacker can still manipulate the Document Object Model (DOM), redirect users to malicious pages, and potentially access local data accessible via browser-dependent fetch or XMLHttpRequest calls to file:// paths.

This can lead to low confidentiality and integrity impacts on the affected system.

Users who scan untrusted Python code and generate HTML reports with vulnerable PySpector versions are at risk.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying if you are using PySpector version 0.1.6 or earlier to generate HTML reports from scanned Python files.'}, {'type': 'paragraph', 'content': 'Specifically, detection involves checking if the generated HTML report contains unsanitized JavaScript code snippets interpolated from Python files that include JavaScript payloads inside strings passed to eval().'}, {'type': 'paragraph', 'content': 'To detect the vulnerable PySpector version on your system, you can run the following command to check the installed version:'}, {'type': 'list_item', 'content': 'pip show pyspector'}, {'type': 'paragraph', 'content': 'Additionally, you can inspect generated HTML reports for embedded JavaScript code by searching for <script> tags or suspicious eval() strings within the report files.'}, {'type': 'paragraph', 'content': 'For example, on a Unix-like system, you can use grep to search for eval() or script tags in the report directory:'}, {'type': 'list_item', 'content': "grep -rE '(eval\\(|<script>)' /path/to/pyspector/reports/"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade PySpector to version 0.1.7 or later, where this stored Cross-Site Scripting vulnerability has been patched.

Until the upgrade is applied, avoid opening HTML reports generated by PySpector versions 0.1.6 or earlier, especially if the scanned Python files come from untrusted sources.

Additionally, consider scanning only trusted Python code or disabling HTML report generation if possible.

Useful 0 Not Useful 0