Back to overview

CVE-2026-55830

HIGH Exploitation: PoC
8.3
CVSS 3.1
Description
RestrictedPython is a tool that helps to define a subset of the Python language which allows to provide a program input into a trusted environment. Prior to 8.3, check_function_argument_names() rejected protected guard hook names for regular, variadic, and keyword-only arguments but omitted positional-only arguments, allowing __getattr__, _getitem_, _write_, or _print_ to be shadowed by a local parameter and bypass the embedding application's access policy. This issue is fixed in version 8.3.

Metadata

CVE ID
CVE-2026-55830
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-17 16:29 UTC
Published
2026-07-08 21:16 UTC
Last updated
2026-07-09 13:46 UTC
Primary CWE
CWE-184
CWE-184: Incomplete List of Disallowed Inputs
Vendor / Product
zopefoundation / RestrictedPython
Sources
cve.org  ·  NVD

Severity & Metrics

8.3 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
zopefoundation RestrictedPython < 8.3
Weakness (CWE)
CWESourceDescription
CWE-184 cna CWE-184: Incomplete List of Disallowed Inputs
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.3 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
References (2)
Back to overview