CVE-2026-32640

(SimpleEval) Objects (including modules) can leak dangerous modules through to direct access inside the sandbox.

Assigner: GitHub_M
Reserved: 12.03.2026 Published: 13.03.2026 Updated: 13.03.2026

SimpleEval is a library for adding evaluatable expressions into python projects. Prior to 1.0.5, objects (including modules) can leak dangerous modules through to direct access inside the sandbox. If the objects you've passed in as names to SimpleEval have modules or other disallowed / dangerous objects available as attrs. Additionally, dangerous functions or modules could be accessed by passing them as callbacks to other safe functions to call. The latest version 1.0.5 has this issue fixed. This vulnerability is fixed in 1.0.5.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	danthedeckie
Product	simpleeval
Versions	Version < 1.0.5 is affected

Vendor

danthedeckie

Product

simpleeval

Versions

Version < 1.0.5 is affected

References

Problem Types

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE
CWE-94: Improper Control of Generation of Code ('Code Injection') CWE

CVE-2026-32640 PUBLISHED

(SimpleEval) Objects (including modules) can leak dangerous modules through to direct access inside the sandbox.

Metrics

Product Status

References

Problem Types