SCA: security update for pyspector (GHSA-v3xv-8vc3-h2m6)

high Tenable Cloud Security Plugin ID 438943

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development
workflows. PySpector versions 0.1.6 and prior are affected by a security validation bypass in the plugin
system. The validate_plugin_code() function in plugin_system.py, performs static AST analysis to block
dangerous API calls before a plugin is trusted and executed. However, the internal resolve_name() helper
only handles ast.Name and ast.Attribute node types, returning None for all others. When a plugin uses
indirect function calls via getattr() (such as getattr(os, 'system')) the outer call's func node is of
type ast.Call, causing resolve_name() to return None, and the security check to be silently skipped. The
plugin incorrectly passes the trust workflow, and executes arbitrary system commands on the user's machine
when loaded. This issue has been patched in version 0.1.7. (CVE-2026-33139)

Solution

Update the pyspector library and its related packages to version 0.1.7 or later.

See Also

https://github.com/advisories/GHSA-v3xv-8vc3-h2m6

Plugin Details

Severity: High

ID: 438943

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 3/18/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.95

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-33139

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.3

Threat Score: 6.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/18/2026

Vulnerability Publication Date: 3/18/2026

Reference Information

CVE: CVE-2026-33139

cwe: CWE-184