CVE-2026-34208CRITICAL 10.0EPSS p42.2%

CVE-2026-34208CVE-2026-34208

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36.

Scoring

CVSS 3.110.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS0.56% probability of exploitation · percentile 42.2% · 2026-06-19T12:03:05Z
Published2026-04-06
Last modified2026-04-09

Underlying weaknesses· 2

CWE-693CWE-915

References

  1. https://github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj

2

TypeTargetConfidenceTier
WeaknessProtection Mechanism Failurecwe-6930%live
WeaknessImproperly Controlled Modification of Dynamically-Determined Object Attributescwe-9150%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25586
CVE
CVE-2026-25520
CVE
CVE-2026-25881
CVE
CVE-2026-25142
CVE
CVE-2026-25641
CVE
CVE-2026-23830
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.