python-statemachine SCXML <data expr> Eval Injection
python-statemachine 3.1.2 evaluates <data expr="…"> attributes in SCXML documents using Python's eval(). Any application that passes attacker-controlled SCXML content to SCXMLProcessor is vulnerable to arbitrary code execution in the context of the hosting process.