CVE-2026-26954CRITICAL 10.0EPSS p41.5%

CVE-2026-26954CVE-2026-26954

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.55% probability of exploitation · percentile 41.5% · 2026-06-18T12:00:27Z
Published2026-03-13
Last modified2026-03-17

Underlying weaknesses· 1

CWE-94

References

  1. https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv
  2. https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25520
CVE
CVE-2026-25142
CVE
CVE-2026-23830
CVE
CVE-2026-25881
CVE
CVE-2026-25586
CVE
CVE-2026-25641
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.