VDB

CVE-2026-34444

CVE-2026-34444 PUBLISHED CVSS 7.900000095367432 HIGH

Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.

EPSS 0.05% · 15.5th percentile

Risk Scores

CVSS v4.0
7.900000095367432
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
EPSS Score
0.05%
15.5th percentile

Affected Products

VendorProductVersions
scoderlupa*

Timeline

  • Apr 6, 2026 CVE Published
  • Apr 8, 2026 Security Advisory
  • Apr 10, 2026 CVE Updated
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score
  • May 25, 2026 EPSS Score
  • May 26, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›