{"id":"CVE-2026-34444","summary":"Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr","details":"Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.","aliases":["GHSA-69v7-xpr6-6gjm"],"modified":"2026-07-08T08:12:51.206943492Z","published":"2026-04-06T15:30:30.525Z","related":["CGA-pp9f-4993-23f3","openSUSE-SU-2026:10507-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34444.json","cwe_ids":["CWE-284","CWE-639"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34444.json"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22993"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-34444"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34444.json"},{"type":"ADVISORY","url":"https://github.com/scoder/lupa/security/advisories/GHSA-69v7-xpr6-6gjm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34444"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2455413"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/scoder/lupa","events":[{"introduced":"0"},{"last_affected":"dd520d06ac8229fa8b584a3759887d61f0e6019b"}],"database_specific":{"cpe":"cpe:2.3:a:scoder:lupa:*:*:*:*:*:python:*:*","source":["AFFECTED_FIELD","CPE_RANGE"],"extracted_events":[{"introduced":"0"},{"last_affected":"2.6"}]}}],"versions":["lupa-2.6","lupa-2.5","lupa-2.4","lupa-2.3","lupa-2.2","lupa-2.1-2","lupa-2.1-1","lupa-2.1","lupa-2.0","lupa-1.9","lupa-1.8","lupa-1.7","lupa-1.6","lupa-1.5","lupa-1.4","lupa-1.3","lupa-1.2","lupa-1.1","lupa-1.0.1","lupa-1.0","lupa-1.0b1","lupa-0.21","lupa-0.20","lupa-0.19","lupa-0.18","lupa-0.17","lupa-0.16","lupa-0.15","lupa-0.14","lupa-0.13.1","lupa-0.13","lupa-0.12","lupa-0.10","lupa-0.8","lupa-0.7","lupa-0.6","lupa-0.5","lupa-0.4","lupa-0.3","lupa-0.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34444.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"}]}