प्लेटफ़ॉर्म
python
घटक
simpleeval
में ठीक किया गया
1.0.6
1.0.5
CVE-2026-32640 is a high-severity vulnerability affecting the SimpleEval Python library. This flaw allows attackers to leak potentially dangerous modules and functions through object access within the library's sandbox environment. Versions 1.0.0 through 1.0.4 are vulnerable, and a fix is available in version 1.0.5.
The core of this vulnerability lies in SimpleEval's sandboxing mechanism. SimpleEval is designed to evaluate expressions within a restricted environment, preventing access to sensitive system resources. However, CVE-2026-32640 bypasses this restriction. An attacker can craft malicious objects, including modules, that, when passed into SimpleEval, expose dangerous attributes and functions to the sandbox. This effectively allows the attacker to execute arbitrary code or access restricted resources, significantly compromising the security of applications relying on SimpleEval for safe expression evaluation. The potential impact extends to any application using SimpleEval to evaluate user-provided input, as this input could be manipulated to trigger the vulnerability.
CVE-2026-32640 was publicly disclosed on 2026-03-13. As of this writing, it is not listed on the CISA KEV catalog, and there are no publicly available proof-of-concept exploits. The EPSS score is likely to be assessed as medium due to the potential for code execution and the availability of the fix, but the lack of public exploits reduces the immediate risk. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Applications that utilize SimpleEval to evaluate user-provided expressions, particularly those deployed in environments where user input is not thoroughly validated, are at significant risk. This includes applications that dynamically generate code or configurations based on user input, as well as those that use SimpleEval for sandboxed scripting or evaluation of untrusted data.
• python / library:
import simpleeval
import inspect
# Check for vulnerable versions
import pkg_resources
version = pkg_resources.get_distribution('simpleeval').version
if version in ['1.0.0', '1.0.1', '1.0.2', '1.0.3', '1.0.4']:
print("Vulnerable SimpleEval version detected!")
# Inspect objects passed to SimpleEval for potentially dangerous attributes
# This is a simplified example and requires more robust analysis• generic web: Review application code that utilizes SimpleEval to identify potential injection points where malicious objects could be passed to the library.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.13% (32% शतमक)
CISA SSVC
The primary mitigation for CVE-2026-32640 is to immediately upgrade SimpleEval to version 1.0.5 or later. This version includes a fix that prevents the object leakage vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation and sanitization to restrict the objects passed to SimpleEval. Carefully review the objects being passed into the sandbox and ensure they do not contain potentially dangerous attributes or functions. While not a complete solution, this can reduce the attack surface. There are no specific WAF or proxy rules that can directly address this vulnerability, as it's a code-level flaw within SimpleEval itself.
Actualice la biblioteca SimpleEval a la versión 1.0.5 o superior para mitigar la vulnerabilidad. Esta versión corrige el problema al evitar que objetos peligrosos se filtren dentro del sandbox, previniendo el acceso no autorizado a funciones y módulos.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-32640 is a high-severity vulnerability in SimpleEval versions 1.0.0 through 1.0.4 that allows attackers to leak dangerous modules and functions within the sandbox, potentially leading to code execution.
You are affected if you are using SimpleEval versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, or 1.0.4 in your Python applications.
Upgrade SimpleEval to version 1.0.5 or later to remediate the vulnerability. If upgrading is not immediately possible, implement strict input validation and sanitization.
As of now, there are no publicly available proof-of-concept exploits or confirmed reports of active exploitation, but it's crucial to apply the fix proactively.
Refer to the SimpleEval project's official repository or documentation for the latest security advisories and updates related to CVE-2026-32640.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी requirements.txt फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।