Is there a public PoC exploit available for CVE-2026-32640?

Yes, a public proof-of-concept exploit is available for CVE-2026-32640. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-32640?

Within 24 hours: Inventory all applications and dependencies using SimpleEval and assess whether untrusted input is evaluated. Within 7 days: Upgrade SimpleEval to version 1.0.5 or later where available, or implement compensating controls if upgrade is blocked. Within 30 days: Conduct security testing of affected applications and update any custom expression evaluators to incorporate ModuleWrapper protections equivalent to version 1.0.5.

CVE-2026-32640

Q: What is the CVSS score of CVE-2026-32640?

CVE-2026-32640 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-12142 HIGH

Code Injection (CWE-94)

2026-03-13 https://github.com/danthedeckie/simpleeval

GHSA-44vg-5wv2-h2hg

Code Injection RCE

8.7

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

SUSE

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Red Hat

7.5 HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 21, 2026 - 16:22 vuln.today

cvss_changed

Severity Changed

Apr 21, 2026 - 16:22 NVD

CRITICAL HIGH

CVSS changed

Apr 21, 2026 - 16:22 NVD

9.8 (CRITICAL) 8.7 (HIGH)

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

PoC Detected

Mar 18, 2026 - 18:26 vuln.today

Public exploit code

EUVD ID Assigned

Mar 13, 2026 - 21:01 euvd

EUVD-2026-12142

Analysis Generated

Mar 13, 2026 - 21:01 vuln.today

CVE Published

Mar 13, 2026 - 20:56 nvd

CRITICAL 9.8

DescriptionGitHub Advisory

Impact

If the objects passed in as names to SimpleEval have modules or other disallowed / dangerous objects available as attrs. Additionally, dangerous functions or modules could be accessed by passing them as callbacks to other safe functions to call.

Examples (found by @ByamB4):

Any module where non-underscore attribute chains reach os or sys:

os.path, pathlib, shutil, glob (direct .os / .sys attributes)
statistics (has .sys)
numpy (has .ctypeslib.os and .f2py.sys)
urllib.parse (has .warnings.sys)

Patches

The latest version 1.0.5 has this issue fixed.

Workarounds

Don't pass in objects or modules which have direct attributes to potentially dangerous items. Use a wrapper to wrap the potentially vulnerable items (See the ModuleWrapper in version 1.0.5)

AnalysisAI

Code injection in SimpleEval when objects with dangerous attrs are passed. PoC available.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Pass module object with dangerous attributes to SimpleEval

Exploit

Access os/sys through attribute chains

Impact

Execute arbitrary code via eval

Access

Pass module object with dangerous attributes to SimpleEval

Exploit

Access os/sys through attribute chains

Impact

Execute arbitrary code via eval

Vulnerability AssessmentAI

Exploitation	SimpleEval versions prior to 1.0.5 with unsafe module objects (os, sys, numpy, pathlib, shutil, glob, statistics, urllib.parse) passed as 'names' parameter or available as callbacks to safe functions. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.8. Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Inject code through object attributes.
Remediation	Update. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all applications and dependencies using SimpleEval and assess whether untrusted input is evaluated. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Critical

Product	Status
SUSE Package Hub 15 SP6	Fixed
openSUSE Leap 15.6	Fixed
openSUSE Leap 16.0	Fixed
openSUSE Tumbleweed	Fixed
SUSE Package Hub 15 SP6	Fixed

CVE-2026-32640 vulnerability details – vuln.today

Back

CVE-2026-32640

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Impact

Patches

Workarounds

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code