PYSEC-2026-374

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/langchain-experimental/PYSEC-2026-374.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-374
Aliases
Published
2026-06-29T11:50:41.097287Z
Modified
2026-07-01T20:22:55.391040Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
LangChain Experimental Eval Injection vulnerability
Details

langchain_experimental (aka LangChain Experimental) 0.1.17 through 0.3.0 for LangChain allows attackers to execute arbitrary code through sympy.sympify (which uses eval) in LLMSymbolicMathChain. LLMSymbolicMathChain was introduced in fcccde406dd9e9b05fc9babcbeb9ff527b0ec0c6 (2023-10-05).

References

Affected packages

PyPI / langchain-experimental

Package

Name
langchain-experimental
View open source insights on deps.dev
Purl
pkg:pypi/langchain-experimental

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.1.17
Last affected
0.3.0

Affected versions

0.*
0.3.0.dev1
0.3.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/langchain-experimental/PYSEC-2026-374.yaml"