Platform
python
Component
simpleeval
Fixed in
1.0.6
1.0.5
CVE-2026-32640 is a high-severity vulnerability affecting the SimpleEval Python library. This flaw allows attackers to leak potentially dangerous modules and functions through object access within the library's sandbox environment. Versions 1.0.0 through 1.0.4 are vulnerable, and a fix is available in version 1.0.5.
The core of this vulnerability lies in SimpleEval's sandboxing mechanism. SimpleEval is designed to evaluate expressions within a restricted environment, preventing access to sensitive system resources. However, CVE-2026-32640 bypasses this restriction. An attacker can craft malicious objects, including modules, that, when passed into SimpleEval, expose dangerous attributes and functions to the sandbox. This effectively allows the attacker to execute arbitrary code or access restricted resources, significantly compromising the security of applications relying on SimpleEval for safe expression evaluation. The potential impact extends to any application using SimpleEval to evaluate user-provided input, as this input could be manipulated to trigger the vulnerability.
CVE-2026-32640 was publicly disclosed on 2026-03-13. As of this writing, it is not listed on the CISA KEV catalog, and there are no publicly available proof-of-concept exploits. The EPSS score is likely to be assessed as medium due to the potential for code execution and the availability of the fix, but the lack of public exploits reduces the immediate risk. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
The primary mitigation for CVE-2026-32640 is to immediately upgrade SimpleEval to version 1.0.5 or later. This version includes a fix that prevents the object leakage vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and sanitization to restrict the objects passed to SimpleEval. Carefully review the objects being passed into the sandbox and ensure they do not contain potentially dangerous attributes or functions. While not a complete solution, this can reduce the attack surface. There are no specific WAF or proxy rules that can directly address this vulnerability, as it's a code-level flaw within SimpleEval itself.
Update the SimpleEval library to version 1.0.5 or higher to mitigate the vulnerability. This version fixes the issue by preventing dangerous objects from leaking into the sandbox, preventing unauthorized access to functions and modules.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32640 is a high-severity vulnerability in SimpleEval versions 1.0.0 through 1.0.4 that allows attackers to leak dangerous modules and functions within the sandbox, potentially leading to code execution.
You are affected if you are using SimpleEval versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, or 1.0.4 in your Python applications.
Upgrade SimpleEval to version 1.0.5 or later to remediate the vulnerability. If upgrading is not immediately possible, implement strict input validation and sanitization.
As of now, there are no publicly available proof-of-concept exploits or confirmed reports of active exploitation, but it's crucial to apply the fix proactively.
Refer to the SimpleEval project's official repository or documentation for the latest security advisories and updates related to CVE-2026-32640.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.