AIKIDO-2026-10536
matplotlib is vulnerable to Remote code execution (RCE)
81
High Risk
This Affects:
matplotlibTL;DR
The axes.prop_cycle rcParam string is parsed in validate_cycler() in lib/matplotlib/rcsetup.py using eval() on a restricted but attacker-influenced string (for example through a matplotlibrc or style), which can allow arbitrary code execution. When using the PGF, LaTeX, and PostScript pipeline, texmanager, backend_pgf, and backend_ps invoke external latex, dvips, and Ghostscript; prior behavior allowed TeX shell escapes and weaker dvips / Ghostscript hardening. The release replaces the cycler eval() with a safe AST-based parser, passes -no-shell-escape to TeX, uses dvips with -R1, and adds -dSAFER to Ghostscript to remove those execution paths.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
matplotlib is vulnerable to Remote code execution (RCE) in versions 1.5.0 - 3.10.8.
How to fix this
Upgrade the matplotlib library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant