CVE-2026-12866 | All versions of the package expr-eval are vulnerable to Code… | CVSS 9.8 CRITICAL

Description

All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.

Metadata

CVE ID: CVE-2026-12866
State: PUBLISHED
Assigner: snyk
Reserved: 2026-06-22 08:22 UTC
Published: 2026-06-23 05:00 UTC
Last updated: 2026-06-23 05:00 UTC
Primary CWE: CWE-94
Code Execution
Vendor / Product: n/a / expr-eval
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
n/a	expr-eval	—	0 < *

Weakness (CWE)

CWE	Source	Description
CWE-94	cna	Code Execution

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.2	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (3)