CVE-2026-5559: PyBlade: SSTI/RCE via Bypassed AST Validation in sandbox.py

April 5, 2026 (updated April 8, 2026)

A vulnerability has been found in AntaresMugisho PyBlade 0.1.8-alpha/0.1.9-alpha. The affected element is the function _is_safe_ast of the file sandbox.py of the component AST Validation. Such manipulation leads to improper neutralization of special elements used in a template engine. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

References

github.com/AntaresMugisho/PyBlade
github.com/AntaresMugisho/PyBlade/issues/1
github.com/AntaresMugisho/PyBlade/issues/1
github.com/advisories/GHSA-23jg-5f8m-gw8c
nvd.nist.gov/vuln/detail/CVE-2026-5559
vuldb.com/submit/782904
vuldb.com/vuln/355329
vuldb.com/vuln/355329/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-5559 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →