PySpector is a static analysis security testing (SAST) framework designed for Python development workflows. Versions 0.1.6 and earlier are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2026-33140. The vulnerability exists in the HTML report generator component of PySpector. When PySpector scans Python files containing JavaScript payloads embedded within strings passed to eval(), it flags these code snippets and interpolates them directly into the generated HTML report without proper sanitization or encoding. This lack of input neutralization allows malicious JavaScript code to be embedded and stored within the report. When a user opens the generated HTML report in a web browser, the embedded JavaScript executes in the context of the local file system, which can lead to unauthorized script execution. This could allow attackers to perform actions such as stealing local data accessible via the browser, manipulating the report content, or potentially exploiting browser vulnerabilities. The vulnerability does not require any authentication to exploit but does require the victim to open the maliciously crafted report file, making user interaction necessary. The issue was addressed and patched in PySpector version 0.1.7 by implementing proper sanitization of the flagged code snippets before embedding them in the HTML report. There are no known exploits in the wild at the time of publication. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required for the attack to succeed, but user interaction is needed to open the report. The scope is limited to the local environment where the report is opened.

The primary impact of this vulnerability is the execution of arbitrary JavaScript code in the context of the local file system when a user opens a maliciously crafted PySpector report. This can lead to several security risks including unauthorized access to local files accessible via the browser, theft of sensitive information, manipulation or corruption of the report data, and potential pivoting to further attacks if browser vulnerabilities are chained. For organizations, this could result in leakage of sensitive code analysis results or local data, undermining the confidentiality and integrity of development workflows. Since PySpector is used in Python development environments, compromised reports could affect developers, security analysts, and quality assurance teams, potentially impacting software supply chain security. Although the vulnerability requires user interaction (opening the report), the risk is significant in environments where reports are shared or stored in locations accessible to multiple users. The vulnerability does not affect the availability of systems but can erode trust in the security of development tools and processes.

Organizations and users should immediately upgrade PySpector to version 0.1.7 or later, where the vulnerability has been patched. Until upgrading, users must avoid opening HTML reports generated by PySpector versions prior to 0.1.7, especially if the reports originate from untrusted or unknown sources. Implement strict controls on the distribution and storage of PySpector reports to prevent malicious report injection. Security teams should educate developers and analysts about the risks of opening untrusted reports and encourage scanning of report files with endpoint protection solutions. Additionally, consider opening reports in sandboxed or isolated environments to limit the impact of potential script execution. Monitoring for unusual browser activity or local file access during report viewing can help detect exploitation attempts. Finally, incorporate secure coding and input sanitization best practices in custom report generation or tooling integrations to prevent similar issues.