CVE-2026-32640
Published: 16 March 2026
Description
Adversaries may abuse Python commands and scripts for execution.
Security Summary
CVE-2026-32640 is a sandbox escape vulnerability in SimpleEval, a Python library designed for safely evaluating mathematical expressions in projects. Versions prior to 1.0.5 allow objects passed as names to the evaluator to leak dangerous modules or other disallowed objects through direct attribute access within the sandbox. Additionally, attackers can access hazardous functions or modules by passing them as callbacks to otherwise safe functions.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required, as indicated by its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation occurs if an attacker can influence the objects provided as names or callbacks to SimpleEval, enabling them to bypass sandbox restrictions and access sensitive modules or execute arbitrary dangerous code, potentially leading to high confidentiality, integrity, and availability impacts (mapped to CWE-94 and CWE-915).
The GitHub security advisory (GHSA-44vg-5wv2-h2hg) confirms the issue is fully resolved in SimpleEval version 1.0.5, recommending immediate upgrades for all prior versions to mitigate the sandbox bypass risks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote unauthenticated RCE via sandbox escape in Python library enables exploitation of public-facing applications (T1190) and abuse of Python interpreter (T1059.006).