CVE-2026-34208

CRITICAL

SandboxJS: Sandbox integrity escape

Title source: cna

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36.

References (1)

[X_Refsource_Confirm] https://github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj

Scores

CVSS v3 10.0

EPSS 0.0018

EPSS Percentile 39.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-693 CWE-915

Status published

Products (3)

nyariv/sandboxjs < 0.8.36

nyariv/sandboxjs 0 - 0.8.36npm

nyariv/SandboxJS < 0.8.36

Published Apr 06, 2026

Tracked Since Apr 06, 2026