CVE-2026-32640

Name of the Vulnerable Software and Affected Versions SimpleEval versions prior to 1.0.5

Description SimpleEval is a Python library used for adding evaluatable expressions to projects. Before version 1.0.5, the library allowed dangerous modules to be accessed directly within the sandbox. This occurred when objects passed as names to SimpleEval had modules or other disallowed objects available as attributes. Additionally, dangerous functions or modules could be accessed by providing them as callbacks to otherwise safe functions. Examples of modules with potentially dangerous attributes include os.path, pathlib, shutil, glob, statistics, numpy, and urllib.parse. The vulnerability allows access to potentially dangerous items through direct attributes.

Recommendations Versions prior to 1.0.5 should be updated to version 1.0.5 or later. Avoid passing objects or modules with direct attributes to potentially dangerous items. Use a wrapper to encapsulate potentially vulnerable items.