Description
SimpleEval is a library for adding evaluatable expressions into python projects. Prior to 1.0.5, objects (including modules) can leak dangerous modules through to direct access inside the sandbox. If the objects you've passed in as names to SimpleEval have modules or other disallowed / dangerous objects available as attrs. Additionally, dangerous functions or modules could be accessed by passing them as callbacks to other safe functions to call. The latest version 1.0.5 has this issue fixed. This vulnerability is fixed in 1.0.5.
Published: 2026-03-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

SimpleEval is a lightweight library that evaluates Python expressions supplied by users. Prior to version 1.0.5, its sandbox allowed objects—such as modules—that were passed in as names to be exposed as attributes within the evaluation context. This flaw means that an attacker can reference potentially dangerous modules or functions that the library itself deems disallowed, effectively permitting execution of arbitrary code with the privileges of the host application. The weakness is reflected in CWE‑915 (Code Injection) and CWE‑94 (Code Injection via Dynamic Untrusted Input).

Affected Systems

The vulnerability affects the danthedeckie:simpleeval package for all releases before 1.0.5. Any installation of SimpleEval older than 1.0.5 that receives untrusted expressions is vulnerable.

Risk and Exploitability

The CVE has a CVSS score of 8.7, indicating high severity, while the EPSS score is below 1% and the flaw is not listed in the CISA KEV catalog, suggesting a relatively low probability of widespread exploitation. The likely attack vector is an application embedding SimpleEval and processing user‑supplied expressions; from that point an attacker can craft an expression that accesses disallowed modules or functions, leading to remote code execution. The attacker does not need additional privileges beyond those of the running application.

Generated by OpenCVE AI on March 18, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SimpleEval to version 1.0.5 or later

Generated by OpenCVE AI on March 18, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4543-1 simpleeval security update
Debian DSA Debian DSA DSA-6220-1 simpleeval security update
Github GHSA Github GHSA GHSA-44vg-5wv2-h2hg SimpleEval: Objects (including modules) can leak dangerous modules through to direct access inside the sandbox
History

Tue, 21 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
References

Wed, 18 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:danthedeckie:simpleeval:*:*:*:*:*:python:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

threat_severity

Important

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Danthedeckie
Danthedeckie simpleeval
Vendors & Products Danthedeckie
Danthedeckie simpleeval

Fri, 13 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description SimpleEval is a library for adding evaluatable expressions into python projects. Prior to 1.0.5, objects (including modules) can leak dangerous modules through to direct access inside the sandbox. If the objects you've passed in as names to SimpleEval have modules or other disallowed / dangerous objects available as attrs. Additionally, dangerous functions or modules could be accessed by passing them as callbacks to other safe functions to call. The latest version 1.0.5 has this issue fixed. This vulnerability is fixed in 1.0.5.
Title (SimpleEval) Objects (including modules) can leak dangerous modules through to direct access inside the sandbox.
Weaknesses CWE-915
CWE-94
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Danthedeckie Simpleeval
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T15:29:09.693Z

Reserved: 2026-03-12T15:29:36.560Z

Link: CVE-2026-32640

cve-icon Vulnrichment

Updated: 2026-04-21T15:29:09.693Z

cve-icon NVD

Status : Modified

Published: 2026-03-16T14:19:40.930

Modified: 2026-04-21T16:16:19.963

Link: CVE-2026-32640

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-13T21:03:53Z

Links: CVE-2026-32640 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:28Z

Weaknesses