Code Execution Vulnerability in Lupa Integrated with CPython
CVE-2026-34444

7.9HIGH

Key Information:

Vendor: Scoder
Status: Lupa
Vendor: CVE Published:; 6 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-34444?

The Lupa library, which integrates Lua or LuaJIT into CPython, has a significant vulnerability where the attribute_filter is not consistently enforced for attributes accessed via built-in functions such as getattr and setattr in versions 2.6 and earlier. This inconsistency permits attackers to circumvent intended access controls, ultimately leading to possibilities for arbitrary code execution within the environment.

Affected Version(s)

lupa <= 2.6

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-34444
Created by redyank

References

https://github.com/scoder/lupa/security/advisories/GHSA-6...

x_refsource_CONFIRM

CVSS V4

Score:

7.9

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
🟡
Public PoC available
Apr 3, 2026
👾
Exploit known to exist
Apr 3, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-34444 Data

JSON

Scoder

Badges

What is CVE-2026-34444?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline