Critical severity10.0NVD Advisory· Published Apr 6, 2026· Updated May 1, 2026
CVE-2026-34444
CVE-2026-34444
Description
Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lupaPyPI | <= 2.6 | — |
Affected products
10- osv-coords9 versionspkg:apk/chainguard/py3.11-prefectpkg:apk/chainguard/py3.11-prefect-fipspkg:apk/chainguard/py3.12-prefectpkg:apk/chainguard/py3.12-prefect-fipspkg:apk/chainguard/py3.13-prefectpkg:apk/chainguard/py3.13-prefect-fipspkg:apk/chainguard/py3.14-prefectpkg:pypi/lupapkg:rpm/opensuse/python-lupa&distro=openSUSE%20Tumbleweed
< 3.7.3-r0+ 8 more
- (no CPE)range: < 3.7.3-r0
- (no CPE)range: < 3.7.3-r0
- (no CPE)range: < 3.7.3-r0
- (no CPE)range: < 3.7.3-r0
- (no CPE)range: < 3.7.3-r0
- (no CPE)range: < 3.7.3-r0
- (no CPE)range: < 3.7.3-r0
- (no CPE)range: <= 2.6
- (no CPE)range: < 2.7-1.1
Patches
Vulnerability mechanics
References
3- github.com/scoder/lupa/security/advisories/GHSA-69v7-xpr6-6gjmnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-69v7-xpr6-6gjmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-34444ghsaADVISORY
News mentions
0No linked articles in our index yet.