VDB
KO
HIGH 7.2

PYSEC-2026-1264

Composio Eval Injection Vulnerability

Details

In composiohq/composio version 0.4.3, the mathematical_calculator endpoint uses the unsafe eval() function to perform mathematical operations. This can lead to arbitrary code execution if untrusted input is passed to the eval() function.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / composio-core
Introduced in: 0 Fixed in: 0.5.43
Fix pip install --upgrade 'composio-core>=0.5.43'

References