CVE-2026-31225
published 2026-05-12CVE-2026-31225: The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The _parse_op_part() function in…
PriorityP260high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.40%
32.3th percentile
The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The _parse_op_part() function in query.py uses the unsafe eval() function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although the function attempts to limit the execution context by providing a restricted global namespace, it does not block access to dangerous built-in functions. A remote attacker can exploit this by submitting a specially crafted query string containing Python code that imports modules (e.g., os) and executes arbitrary system commands, leading to complete compromise of the server.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2799-6g5r-mmc7: The superduper project thru v0
ghsa_unreviewed·2026-05-12
CVE-2026-31225 [HIGH] CWE-94 GHSA-2799-6g5r-mmc7: The superduper project thru v0
The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The _parse_op_part() function in query.py uses the unsafe eval() function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although the function attempts to limit the execution context by providing a restricted global namespace, it does not block access to dangerous built-in functions. A remote attacker can exploit this by submitting a specially crafted query string containing Python code that imports modules (e.g., os) and executes arbitrary system commands, leading to complete compromise of the server.
GHSA
Superduper: Remote code execution via unsafe eval in superduper query parsing
ghsa·2026-05-12
CVE-2026-31225 [HIGH] CWE-94 Superduper: Remote code execution via unsafe eval in superduper query parsing
Superduper: Remote code execution via unsafe eval in superduper query parsing
The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component. The _parse_op_part() function in query.py uses the unsafe eval() function to dynamically evaluate user-supplied query operands without proper sanitization or restriction. Although the function attempts to limit the execution context by providing a restricted global namespace, it does not block access to dangerous built-in functions. A remote attacker can exploit this by submitting a specially crafted query string containing Python code that imports modules (e.g., os) and executes arbitrary system commands, leading to complete compromise of the server.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-12
Published