CVE-2026-34444 HIGH

CVE-2026-34444: Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr

Vendor Scoder

Product lupa

Weakness CWE-284

Published April 6, 2026

Last update April 6, 2026

View on NVD All CVEs

CVSS base score

7.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.

Key dates

02Disclosure timeline

April 6, 2026 CVE published

April 6, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-34444

Related vulnerabilities

CVE-2026-34444: Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr

01Description

02Disclosure timeline

03References

04Related CVE