CVE-2026-34444
Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attribute
CVSS
10.0
Critical
EPSS
0.6%
p45
KEV
—
Exploit Today
14
0-100
Published: Apr 6, 2026 · Last modified: Jul 15, 2026 · CWE-284 · CWE-639 · CWE-914
0.6%EPSS · 30 days0.6%
2026-06-302026-07-17
Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution.
- github.comhttps://github.com/scoder/lupa/security/advisories/GHSA-69v7-xpr6-6gjm
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:22993
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-34444
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2455413
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34444.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-552558.4 HIG42.8%
KEV—63Langflow Authorization Bypass Through User-Controlled Key Vulnerability10dCVE-2021-464168.1 HIG89.9%
——27Insecure direct object reference in SUNNY TRIPOWER 5.0 Firmware version 3.10.16.R leads to unauthorized user groups accessing due to insecure cookie handling.4dCVE-2026-503517.8 HIG84.8%
——25Improper access control in Windows Audio Compression Manager (ACM) allows an authorized attacker to elevate privileges locally.1dCVE-2026-504237.8 HIG82.8%
——25Improper access control in Windows Kernel allows an authorized attacker to elevate privileges locally.3dCVE-2026-498057.0 HIG81.6%
——24Improper access control in Windows Win32K allows an authorized attacker to elevate privileges locally.1dCVE-2023-285319.8 CRI81.1%
——24ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.4d