CVE-2026-47103

Description

### Summary python-statemachine 3.1.2 evaluates `<data expr="...">` attributes in SCXML documents using Python's `eval()`. Any application that passes attacker-controlled SCXML content to `SCXMLProcessor` is vulnerable to arbitrary code execution in the context of the hosting process. ### Details `SCXMLProcessor.parse_scxml_file()` processes SCXML documents and evaluates `<data>` element `expr` attributes via the following call chain: ``` SCXMLProcessor.parse_scxml_file() SCXMLProcessor.process_definition() create_datamodel_action_callable() _create_dataitem_callable() _eval() eval() ``` `_eval()` calls Python's built-in `eval()` directly on the expression string without sandboxing or restriction. ### PoC ``` 1. Install: pip install python-statemachine==3.1.2 2. Create an SCXML file containing: <data id="x" expr="__import__('pathlib').Path('marker.txt').write_text('pwned')"/> 3. Run: SCXMLProcessor.parse_scxml_file(DATA_EXPR_CHART) SCXMLProcessor.start() 4. During start(), <data expr> reaches _eval(), which calls eval(). 5. Result: data_marker_before_start: False data_marker_after_start: True success: True ``` ### Impact This is an eval injection vulnerability (CWE-95). Remote or local code execution depending on whether the consuming application accepts SCXML content from remote users, uploaded files, configuration, plugins, or other untrusted sources.

How to fix CVE-2026-47103

To remediate CVE-2026-47103, upgrade the affected package to a fixed version below.

• —upgrade to 3.2.0 or later

Is CVE-2026-47103 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-47103.

Affected packages (1)

• >= 3.0.0, < 3.2.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-47103
• PATCHgithub.com/fgmacedo/python-statemachine
• WEBgithub.com/fgmacedo/python-statemachine/releases/tag/v3.2.0
• WEBgithub.com/fgmacedo/python-statemachine/security/advisories/GHSA-v4jc-pm6r-3vj8