External risk intelligence

Python StateMachine SCXML Injection RCE

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-47103

A vulnerability in the Python StateMachine library allows remote code execution when processing malicious SCXML documents. Attackers can exploit this by supplying crafted documents that cause arbitrary code to run within the application's process. The reachability of this vulnerability depends on how the library is imp

3Halo Surface Signal

Remote Code Execution

External exposure likelihood

Halo Surface Signal score for CVE-2026-47103

The vulnerability resides in a software library used for state machine processing. While it could be integrated into internet-facing applications that parse SCXML documents, it is a backend component, not a standalone edge service. Its reachability depends entirely on how a developer implements the library within their specific application architecture.

PCI scan relevance

PCI Relevance for CVE-2026-47103

Yes

CVE-2026-47103 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This CVE involves remote code execution in Python StateMachine, which can lead to an automatic failure of PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Python StateMachine library allows for remote code execution when processing specially crafted SCXML documents. This could enable an attacker to run arbitrary code on systems using affected versions of the library, with the potential impact dependent on how the library is integrated into an application.

  • Code execution via malicious document input.
  • Library vulnerability impacts application security.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can trigger this vulnerability by providing a specially crafted SCXML document to an application that uses the vulnerable Python StateMachine library. This document would contain malicious code within `<data expr="...">` attributes, which the application then processes. Because the library evaluates these expressions unsafely using Python's `eval()` function without proper sandboxing, the attacker can execute arbitrary code on the server running the application.

  • No authentication or user interaction required.
  • Supplying a malicious SCXML document triggers the vulnerability.
  • Risk of arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

The Python StateMachine library could allow attackers to execute arbitrary code within the hosting process when processing specially crafted SCXML documents. This occurs because the library passes expression strings to Python's `eval()` function without adequate security measures, enabling malicious code execution under specific conditions.

  • Hosting process memory and code execution.
  • Malicious SCXML documents processed by the library.
  • Arbitrary code execution in the application context.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Python StateMachine affects applications processing untrusted SCXML data. Ownership likely lies with the application development team that integrated the library, with support from platform or infrastructure teams for deployment. The initial action is to inventory all deployments, assess exposure, and identify the business criticality of each instance.

  • Application owners should manage the issue.
  • Verify SCXML processing reachability and criticality.
  • Plan remediation based on assessed risk.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the role of Python StateMachine?

Python StateMachine is a library designed to help developers model complex workflows and state transitions in backend applications. It provides the structure for managing logic flow, though it functions as a backend component integrated into larger software systems rather than serving as a standalone internet-facing service or application.

How does CWE-95 impact CVE-2026-47103?

This vulnerability is classified as CWE-95, Improper Neutralization of Directives in Dynamically Evaluated Code. The flaw exists because the library performs unsafe evaluation of SCXML attributes. By using Python's built-in eval() function on attacker-provided data, the library inadvertently allows the execution of arbitrary commands embedded within these processed expressions.

What conditions trigger this remote code execution?

The vulnerability is triggered when an application processes a maliciously crafted SCXML document containing a compromised <data expr="..."> attribute. The path to execution requires the library to parse the input, sending the attribute string into the unsafe eval() call chain. This does not require application authentication or user interaction to activate.

Is my system reachable for this attack?

According to the Halo Surface Signal, the library is a backend component rather than a standalone edge service. Your exposure depends entirely on your specific implementation; if your application architecture allows external users to supply SCXML documents that the library then parses, the system may be reachable. The risk is limited to applications that expose this processing logic.

How should teams respond to this vulnerability?

Development teams should first inventory all internal systems to identify where the Python StateMachine library is utilized. Assess whether any deployments process SCXML data from untrusted sources, as this defines the exposure level. Prioritize updating to version 3.2.0 or later to neutralize the evaluation flaw and secure the application runtime environment.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished