Critical severity10.0NVD Advisory· Published Apr 6, 2026· Updated May 1, 2026

CVE-2026-34444

Description

Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
lupaPyPI	<= 2.6	—

Affected products

Scoder/Lupa
cpe:2.3:a:scoder:lupa:*:*:*:*:*:python:*:*
Range: <=2.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/scoder/lupa/security/advisories/GHSA-69v7-xpr6-6gjmnvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-69v7-xpr6-6gjmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-34444ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.650
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000