CVE-2026-33140 | ParzivalHack PySpector up to 0.1.6 HTML Report eval HTML injection (GHSA-2gmv-2r3v-jxj2)

VDB-352139 · CVE-2026-33140 · GHSA-2GMV-2R3V-JXJ2 PARZIVALHACK PYSPECTOR UP TO 0.1.6 HTML REPORT EVAL HTML INJECTION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 3.4 $0-$5k 1.64+ Summaryinfo A vulnerability marked as problematic has been reported in ParzivalHack PySpector up to 0.1.6. The impacted element is the function eval of the component HTML Report Handler. The manipulation leads to HTML injection. This vulnerability is traded as CVE-2026-33140. It is possible to initiate the attack remotely. There is no exploit available. It is suggested to upgrade the affected component. Detailsinfo A vulnerability was found in ParzivalHack PySpector up to 0.1.6 and classified as problematic. This issue affects the function eval of the component HTML Report Handler. The manipulation with an unknown input leads to a html injection vulnerability. Using CWE to declare the problem leads to CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Impacted is integrity. The summary by CVE is: PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a stored Cross-Site Scripting (XSS) vulnerability in the HTML report generator. When PySpector scans a Python file containing JavaScript payloads (i.e. inside a string passed to eval() ), the flagged code snippet is interpolated into the HTML report without sanitization. Opening the generated report in a browser causes the embedded JavaScript to execute in the browser's local file context. This issue has been patched in version 0.1.7. It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2026-33140 since 03/17/2026. The exploitation is known to be easy. The attack may be initiated remotely. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1059.007 according to MITRE ATT&CK. Upgrading to version 0.1.7 eliminates this vulnerability. Productinfo Vendor ParzivalHack Name PySpector Version 0.1.0 0.1.1 0.1.2 0.1.3 0.1.4 0.1.5 0.1.6 Website Product: https://github.com/ParzivalHack/PySpector/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 3.5 VulDB Meta Temp Score: 3.4 VulDB Base Score: 3.5 VulDB Temp Score: 3.4 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: HTML injection CWE: CWE-79 / CWE-94 / CWE-74 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: PySpector 0.1.7 Timelineinfo 03/17/2026 CVE reserved 03/20/2026 +3 days Advisory disclosed 03/20/2026 +0 days VulDB entry created 03/20/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: GHSA-2gmv-2r3v-jxj2 Status: Confirmed CVE: CVE-2026-33140 (🔒) GCVE (CVE): GCVE-0-2026-33140 GCVE (VulDB): GCVE-100-352139 Entryinfo Created: 03/20/2026 23:33 Changes: 03/20/2026 23:33 (69) Complete: 🔍 Cache ID: 99:71A:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸