CVE-2026-33140: Stored XSS in PySpector HTML Report Generation leads to Javascript Code Execution

March 18, 2026 (updated March 20, 2026)

PySpector versions <= 0.1.6 are affected by a stored Cross-Site Scripting (XSS) vulnerability in the HTML report generator. When PySpector scans a Python file containing JavaScript payloads (i.e. inside a string passed to eval() ), the flagged code snippet is interpolated into the HTML report without sanitization. Opening the generated report in a browser causes the embedded JavaScript to execute in the browser’s local file context.

References

github.com/ParzivalHack/PySpector
github.com/ParzivalHack/PySpector/security/advisories/GHSA-2gmv-2r3v-jxj2
github.com/advisories/GHSA-2gmv-2r3v-jxj2
nvd.nist.gov/vuln/detail/CVE-2026-33140

Code Behaviors & Features

Detect and mitigate CVE-2026-33140 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →