Security Validation Bypass in PySpector Plugin System
CVE-2026-33139

8.3HIGH

Key Information:

Vendor: Parzivalhack
Status: Pyspector
Vendor: CVE Published:; 20 March 2026

🔔 Create Parzivalhack Vulnerability Alert

What is CVE-2026-33139?

The PySpector static analysis security testing framework is subject to a security validation bypass vulnerability in its plugin system. This issue arises in versions 0.1.6 and earlier, where the validate_plugin_code() function fails to adequately analyze certain indirect function calls. Specifically, the internal resolve_name() helper is unable to manage certain node types, permitting malicious plugins to circumvent security checks. As a result, when executing a plugin that indirectly calls system commands via getattr(), attackers can exploit this vulnerability to execute arbitrary commands on the system. This security flaw has been addressed in version 0.1.7, ensuring that trust verification functions correctly across various function call types.

Affected Version(s)

PySpector < 0.1.7

References

https://github.com/ParzivalHack/PySpector/security/adviso...

x_refsource_CONFIRM

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33139 Data

JSON