CVE-2026-25520CRITICAL 10.0EPSS p51.2%

CVE-2026-25520CVE-2026-25520

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.78% probability of exploitation · percentile 51.2% · 2026-06-18T12:00:27Z
Published2026-02-06
Last modified2026-02-18

Underlying weaknesses· 1

CWE-74

References

  1. https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3
  2. https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4
  3. https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')cwe-740%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-26954
CVE
CVE-2026-25142
CVE
CVE-2026-25586
CVE
CVE-2026-25587
CVE
CVE-2026-25641
CVE
CVE-2026-34208
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.