Intel

AIKIDO-2026-607274

edgartools is vulnerable to Code Injection

Code Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

81

High Risk

This Affects:

PYTHONedgartools
2.23.0 - 5.40.1
Fixed in 5.41.0
Are you affected? Scan for Free

TL;DR

The query() method on Attachments builds a filter expression from the caller's query string and passes it to eval() with Python builtins reachable. Because the evaluation namespace is not sandboxed, a query string that reaches this method can execute arbitrary Python code, such as importing modules, running operating system commands, or reading files. Applications that pass untrusted input into the attachment query are exposed to arbitrary code execution. The fix parses the query into a restricted AST that only allows field access, comparisons, whitelisted string methods, and re matching, raising ValueError on anything else.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted input into the attachment query.

Background info

edgartools is vulnerable to Code Injection in versions 2.23.0 - 5.40.1.

How to fix this

Upgrade the edgartools library to the patch version.