PySpector is a static analysis security testing (SAST) framework designed for Python development workflows. Versions 0.1.6 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability (CWE-79) in the HTML report generator component. When PySpector scans Python source files that include JavaScript payloads embedded within strings passed to eval(), the flagged code snippet is directly interpolated into the generated HTML report without proper sanitization or encoding. This results in malicious JavaScript code being embedded in the report file. When the report is opened in a web browser, the embedded script executes in the context of the local file, which can lead to script execution attacks such as stealing local data, manipulating the report content, or performing other malicious actions within the browser environment. The vulnerability does not require any privileges or authentication to exploit, but it does require the victim to open the crafted report file. The issue was publicly disclosed on March 20, 2026, and patched in PySpector version 0.1.7. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and limited scope impact.

The primary impact of this vulnerability is the execution of arbitrary JavaScript code in the context of the local file system when a user opens a maliciously crafted PySpector report. This can lead to unauthorized disclosure of sensitive information present on the local machine, manipulation or corruption of the report data, or further exploitation of the user's browser environment. Since PySpector is used in development and security testing workflows, compromised reports could undermine trust in security assessments and potentially expose sensitive source code or analysis results. The vulnerability could be exploited by attackers who can supply or modify Python source files scanned by PySpector or who can trick users into opening malicious reports. Although no known exploits are currently in the wild, the ease of exploitation and the widespread use of PySpector in Python development environments pose a moderate risk to organizations relying on this tool for security testing.

To mitigate this vulnerability, organizations and users should immediately upgrade PySpector to version 0.1.7 or later, where the issue has been patched. Until upgrading, users should avoid opening HTML reports generated by PySpector versions prior to 0.1.7, especially reports generated from untrusted or potentially malicious Python source files. Implement strict controls on the source files scanned by PySpector to prevent injection of malicious JavaScript payloads. Additionally, consider opening PySpector reports in isolated or sandboxed browser environments to limit potential damage from script execution. Security teams should review their development and testing workflows to ensure that report files are validated and sanitized before distribution. Incorporating automated scanning of generated reports for embedded scripts could also help detect attempts to exploit this vulnerability.