A critical sandbox escape vulnerability (CVE-2026-32640, CVSS 9.8) in the SimpleEval Python library allows arbitrary code execution via specially crafted input that exploits improper restrictions on attribute access and callbacks. The NVD data indicates all versions of the `danthedeckie/simpleeval` package prior to version 1.0.5 are affected. The fix requires upgrading the library to version 1.0.5.
Ubuntu Security Notices USN-8301-1 USN-8301-1: SimpleEval vulnerability Publication date 25 May 2026 Overview SimpleEval could be made to run programs if it received specially crafted input. Releases 26.04 LTS 25.10 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS Open side navigation Close side navigation Packages Details Update instructions References Packages simpleeval - Python library for evaluating expressions Details Byambadalai Sumiya discovered that SimpleEval did not properly restrict attribute access and callback handling inside a sandbox. An attacker could possibly use this issue to execute arbitrary code. Byambadalai Sumiya discovered that SimpleEval did not properly restrict attribute access and callback handling inside a sandbox. An attacker could possibly use this issue to execute arbitrary code. Update instructions In general, a standard system update will make all the necessary changes. Learn more about how to get the fixes. The problem can be corrected by updating your system to the following package versions: Ubuntu Release Package Version 26.04 LTS resolute python3-simpleeval – 1.0.3-1+deb13u1build0.26.04.1 25.10 questing python3-simpleeval – 1.0.3-1+deb13u1build0.25.10.1 24.04 LTS noble python3-simpleeval – 0.9.12-1+deb12u1build0.24.04.1 22.04 LTS jammy python3-simpleeval – 0.9.11-1ubuntu0.1~esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. 20.04 LTS focal python3-simpleeval – 0.9.10-1+deb11u1build0.20.04.1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. 18.04 LTS bionic python-simpleeval – 0.9.5-1ubuntu0.1~esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. python3-simpleeval – 0.9.5-1ubuntu0.1~esm1 Ubuntu Pro Fix available with Ubuntu Pro via ESM Apps. A community fix might become publicly available in the future. 16.04 LTS xenial python-simpleeval – 0.8.7-1ubuntu0.1~esm1 python3-simpleeval – 0.8.7-1ubuntu0.1~esm1 Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Get Ubuntu Pro References CVE-2026-32640 CVE-2026-32640