2447529 – (CVE-2026-32640) CVE-2026-32640 simpleeval: SimpleEval: Arbitrary code execution via sandbox escape due to improper object handling

Bug 2447529 (CVE-2026-32640) - CVE-2026-32640 simpleeval: SimpleEval: Arbitrary code execution via sandbox escape due to improper object handling

Summary: CVE-2026-32640 simpleeval: SimpleEval: Arbitrary code execution via sandbox e...

Keywords:
Status:	NEW
Alias:	CVE-2026-32640
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-13 22:02 UTC by OSIDB Bzimport
Modified:	2026-03-17 09:48 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-13 22:02:40 UTC

SimpleEval is a library for adding evaluatable expressions into python projects. Prior to 1.0.5, objects (including modules) can leak dangerous modules through to direct access inside the sandbox. If the objects you've passed in as names to SimpleEval have modules or other disallowed / dangerous objects available as attrs. Additionally, dangerous functions or modules could be accessed by passing them as callbacks to other safe functions to call. The latest version 1.0.5 has this issue fixed. This vulnerability is fixed in 1.0.5.

Note You need to log in before you can comment on or make changes to this bug.