PySpector: Stored XSS in PySpector HTML Report Generation leads to Javascript Code Execution
Description
PySpector is a static analysis security testing (SAST) Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a stored Cross-Site Scripting (XSS) vulnerability in the HTML report generator. When PySpector scans a Python file containing JavaScript payloads (i.e. inside a string passed to eval() ), the flagged code snippet is interpolated into the HTML report without sanitization. Opening the generated report in a browser causes the embedded JavaScript to execute in the browser's local file context. This issue has been patched in version 0.1.7.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pyspectorPyPI | < 0.1.7 | 0.1.7 |
Affected products
1- Range: < 0.1.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-2gmv-2r3v-jxj2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33140ghsaADVISORY
- github.com/ParzivalHack/PySpector/security/advisories/GHSA-2gmv-2r3v-jxj2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.