CVE-2026-25881CRITICAL 10.0EPSS p41.7%

CVE-2026-25881CVE-2026-25881

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)). This vulnerability is fixed in 0.8.31.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.55% probability of exploitation · percentile 41.7% · 2026-06-18T12:00:27Z
Published2026-02-09
Last modified2026-02-18

Underlying weaknesses· 1

CWE-1321

References

  1. https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53
  2. https://github.com/nyariv/SandboxJS/security/advisories/GHSA-ww7g-4gwx-m7wj

1

TypeTargetConfidenceTier
WeaknessImproperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')cwe-13210%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25586
CVE
CVE-2026-26954
CVE
CVE-2026-25142
CVE
CVE-2026-25641
CVE
CVE-2026-34208
CVE
CVE-2026-23830
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.