// PROOF — NOT A HYPOTHESIS
It already found two critical CVEs in Django
EyalSec's taint engine surfaced two unauthenticated SQL-injection vulnerabilities in the world's most-deployed Python web framework.
CVE-2024-42005CVSS 9.8
SQL injection via crafted JSON object keys used as column aliases in QuerySet.values() / values_list() on models with a JSONField.
CVE-2025-57833CVSS 9.8
SQL injection via FilteredRelation column aliases in annotate() / alias() with **kwargs expansion.
// HOW IT WORKS
Taint in, sink out
sources — network sockets, files, stdin marked untrusted at the read
tracked — the taint follows the data as it's copied & transformed
sinks — exec, eval, os.system, subprocess, pickle, yaml, SQL drivers, … → report or raise
// HOW TO USE
Install once, run your code through it
Your existing python stays put. Run es-python when you want the safety net.
# 1 · install (adds es-python alongside python)
$ curl -s https://eyalsec.com/install.sh | bash
# 2 · run your code, checks on
$ es-python --raise app.py
// HOW IT COMPARES
Everyone else sits in the wrong place
competitor type
what they do
where they fall short
eyalsec's edge
competitor typeRASP
what they doInstrument the app/agent to watch for attacks at runtime
where they fall shortAgent-based, framework-coupled, evadable via encoding the network layer didn't normalize; Python support is a second-class citizen behind Java/.NET
eyalsec's edgeWe are the interpreter — the check is at the C-level sink, language-native, can't be encoded around, framework-agnostic
competitor typeWAF / edge
what they doPattern-match malicious HTTP at the network boundary
where they fall shortBlind to what the code does with a payload once it's inside; high false-positive/negative on novel payloads; useless for non-HTTP entry (files, queues, stdin)
eyalsec's edgeWe see the actual data-flow inside the process, across all input sources, not just HTTP
competitor typeSAST
what they doStatically scan source for risky patterns
where they fall shortCompile-time guesses → high false positives; can't tell if a path is actually reachable with attacker data at runtime
eyalsec's edgeZero false positives on real flows — we only fire when actual tainted data reaches a sink at runtime
competitor typeDAST / fuzzing
what they doProbe a running app from outside / fuzz inputs
where they fall shortExternal black-box view; no visibility into internal taint; coverage-blind to which branch reached which sink
eyalsec's edgeOur fork-replay fuzzer drives inputs through every internal branch with taint awareness — white-box from inside the interpreter
competitor typeSCA / dependency
what they doFlag known-CVE dependencies
where they fall shortTells you a CVE exists; can't tell you if your running code actually reaches it with tainted data
eyalsec's edgeWe confirm real reachability — “is this CVE'd sink actually hit by attacker data in your app?”
competitor typeSandboxing / isolation
what they doRestrict syscalls / isolate the process
where they fall shortCoarse, all-or-nothing; breaks legitimate functionality; doesn't understand application-level data flow
eyalsec's edgeWe gate the specific tainted-data-to-sink event, leaving everything else untouched
competitor typeEDR / runtime threat
what they doDetect malicious behavior at the OS/host level
where they fall shortDetect after the process does something bad; post-exploitation, not prevention
eyalsec's edgeWe act before the dangerous call executes — pre-exploitation prevention
// FAQ
Does it slow my code down? — Tracking taint costs cycles; gate only the sinks you need, or run lighter observe mode.
Will my pip packages work? — It's CPython 3.13; pure-Python packages just work, native extensions build from source.
Does it send my code anywhere? — No. Only caught security events post to your dashboard; your source never leaves the machine.