CVE-2026-47103
Awaiting Analysis Awaiting Analysis - Queue
Remote Code Execution in Python StateMachine

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: VulnCheck

Description
Python StateMachine versions 3.0.0 before 3.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary code by supplying malicious SCXML documents containing crafted `<data expr="...">` attributes evaluated unsafely. The SCXMLProcessor passes attacker-controlled expression strings through a call chain ending in Python's built-in eval() without sandboxing, enabling arbitrary code execution in the context of the hosting process.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-47103
EUVD
EUVD-2026-37730
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fgmacedo python_statemachine to 3.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows remote code execution through unsafe evaluation of attacker-controlled expressions, which can lead to unauthorized access, modification, or destruction of data.

Such unauthorized access and potential data breaches can impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and ensuring system integrity.

Exploitation of this vulnerability could result in violations of confidentiality, integrity, and availability requirements mandated by these standards.

Therefore, organizations using affected versions of python-statemachine without mitigation may face increased risk of non-compliance due to potential data breaches or system compromise.

Executive Summary

CVE-2026-47103 is a critical remote code execution vulnerability in Python StateMachine versions 3.0.0 to 3.1.x. It occurs because the SCXMLProcessor component evaluates expressions from SCXML documents using Python's built-in eval() function without sandboxing or restrictions. Attackers can supply malicious SCXML documents containing crafted <data expr="..."> attributes that get executed unsafely, allowing arbitrary code execution within the hosting process.

This vulnerability arises from an eval injection flaw (CWE-95) where attacker-controlled expression strings are passed through a call chain ending in eval(), enabling execution of arbitrary Python code. The issue affects only users who load SCXML documents from untrusted or third-party sources using the experimental SCXML loader.

The vulnerability was fixed in version 3.2.0 by introducing a restricted AST-whitelist evaluator that only permits safe operations, preventing arbitrary code execution unless explicitly enabled with a trusted flag.

Impact Analysis

This vulnerability can have severe impacts including remote code execution, allowing attackers to run arbitrary Python code on the affected system.

  • Attackers can execute malicious code remotely if they can supply crafted SCXML documents to the vulnerable SCXMLProcessor.
  • It can lead to full compromise of the hosting process, affecting confidentiality, integrity, and availability of the system.
  • Proof-of-concept exploits demonstrate the ability to write arbitrary files, potentially enabling further system compromise.

Only applications that load SCXML documents from untrusted sources using the SCXML loader are affected; standard usage of Python StateMachine without this loader is not impacted.

Detection Guidance

This vulnerability occurs when the python-statemachine library versions 3.0.0 to 3.1.x process untrusted SCXML documents containing malicious <data expr="..."> attributes that are evaluated unsafely using Python's eval() function.

To detect if your system is vulnerable, first check the version of python-statemachine installed.

  • Run the command: pip show python-statemachine
  • or: pip list | grep python-statemachine

If the version is between 3.0.0 and 3.1.x, your system is potentially vulnerable if it uses the SCXML loader with untrusted sources.

To detect exploitation attempts on your network or system, monitor for unexpected processing of SCXML files from untrusted or third-party sources, especially those containing <data expr="..."> attributes.

Since the vulnerability involves arbitrary code execution via eval(), suspicious logs or unusual process behavior during SCXML processing may indicate exploitation.

Mitigation Strategies

The primary mitigation step is to upgrade the python-statemachine library to version 3.2.0 or later, where the vulnerability is fixed by introducing a restricted AST-whitelist evaluator that safely processes datamodel expressions.

If upgrading is not immediately possible, avoid loading SCXML documents from untrusted or third-party sources using the vulnerable SCXML loader.

Alternatively, pin the python-statemachine version to below 3.2 only if you cannot upgrade Python, but this is not recommended as it leaves the vulnerability unpatched.

Review your application to ensure it does not process untrusted SCXML input or disable the experimental SCXML loader if it is not needed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47103. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart