CVE-2023-43364
Description
Searchor <=2.4.2 uses eval() on CLI input in main.py, allowing arbitrary code execution via crafted queries.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Searchor <=2.4.2 uses eval() on CLI input in main.py, allowing arbitrary code execution via crafted queries.
Vulnerability
Overview
In Searchor versions prior to 2.4.2, the main.py file uses the Python eval() function on user-supplied command-line interface (CLI) input. Specifically, the search function constructs a string using the user-provided query argument and passes it directly to eval(), as shown in the source code: eval(f"Engine.{engine}.search('{query}', copy_url={copy}, open_web={open})") [1][2][4]. This design flaw allows an attacker to inject arbitrary Python expressions.
Exploitation
The vulnerability is exploitable through the CLI interface without any authentication. An attacker can supply a malicious query string that includes Python code, such as __import__('os').system('') or __import__('os').popen('').read(), which will be executed by eval() [4]. The attack requires only that the attacker can invoke the Searchor CLI, making it accessible to anyone with local or remote access to the command line.
Impact
Successful exploitation results in arbitrary command execution on the host system with the privileges of the user running Searchor. This can lead to full system compromise, data exfiltration, or further lateral movement within the network [3][4]. The vulnerability is publicly documented with a proof-of-concept exploit, increasing the risk of active exploitation.
Mitigation
The issue is fixed in Searchor version 2.4.2. Users are strongly advised to upgrade immediately. No workarounds are available; the only remediation is to apply the patch [1][4]. The vulnerability has been assigned CVE-2023-43364 and is tracked in the PyPA advisory database [3].
- NVD - CVE-2023-43364
- GitHub - ArjunSharda/Searchor: ⚡️ Quick and easy searching tasks in one library.
- advisory-database/vulns/searchor/PYSEC-2023-262.yaml at main · pypa/advisory-database
- GitHub - nikn0laty/Exploit-for-Searchor-2.4.0-Arbitrary-CMD-Injection: Reverse Shell Exploit for Searchor <= 2.4.2 (2.4.0)
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
searchorPyPI | < 2.4.2 | 2.4.2 |
Affected products
2- Searchor/Searchordescription
Patches
116016506f7bfMerge pull request #130 from dan-pavlov/remove-eval-from-cli
1 file changed · +1 −3
src/searchor/main.py+1 −3 modified@@ -29,9 +29,7 @@ def cli(): @click.argument("query") def search(engine, query, open, copy): try: - url = eval( - f"Engine.{engine}.search('{query}', copy_url={copy}, open_web={open})" - ) + url = Engine[engine].search(query, copy_url=copy, open_web=open) click.echo(url) searchor.history.update(engine, query, url) if open:
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-66m2-493m-crh2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-43364ghsaADVISORY
- github.com/ArjunSharda/Searchor/commit/16016506f7bf92b0f21f51841d599126d6fcd15bghsaWEB
- github.com/ArjunSharda/Searchor/pull/130ghsaWEB
- github.com/ArjunSharda/Searchor/security/advisories/GHSA-66m2-493m-crh2ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/searchor/PYSEC-2023-262.yamlghsaWEB
News mentions
0No linked articles in our index yet.