CVE-2026-26954
CRITICALSandboxJS < 0.8.34 - Sandbox Escape via Function Array Manipulation
Title source: llmDescription
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv
Scores
CVSS v3
10.0
EPSS
0.0055
EPSS Percentile
41.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (3)
nyariv/sandboxjs
< 0.8.34
nyariv/sandboxjs
0 - 0.8.34npm
nyariv/SandboxJS
< 0.8.34
Published
Mar 13, 2026
Tracked Since
Mar 14, 2026