edgartools is vulnerable to Code Injection
81
High Risk
The query() method on Attachments builds a filter expression from the caller's query string and passes it to eval() with Python builtins reachable. Because the evaluation namespace is not sandboxed, a query string that reaches this method can execute arbitrary Python code, such as importing modules, running operating system commands, or reading files. Applications that pass untrusted input into the attachment query are exposed to arbitrary code execution. The fix parses the query into a restricted AST that only allows field access, comparisons, whitelisted string methods, and re matching, raising ValueError on anything else.
You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted input into the attachment query.
edgartools is vulnerable to Code Injection in versions 2.23.0 - 5.40.1.
Upgrade the edgartools library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant