CVE-2026-26954 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.3… | CVSS 10.0 CRITICAL

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34.

Metadata

CVE ID: CVE-2026-26954
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-02-16 22:20 UTC
Published: 2026-03-13 15:51 UTC
Last updated: 2026-03-16 17:06 UTC
Primary CWE: CWE-94
CWE-94: Improper Control of Generation of Code ('Code Inject…
Vendor / Product: nyariv / SandboxJS
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
nyariv	SandboxJS	—	< 0.8.34

Weakness (CWE)

CWE	Source	Description
CWE-94	cna	CWE-94: Improper Control of Generation of Code ('Code Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (1)

https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv