CVE-2026-39911HIGH 8.8EPSS p41.4%

CVE-2026-39911CVE-2026-39911

Description

Hashgraph Guardian through version 3.5.1, fixed in commit 45fbe2f, contains an unsandboxed JavaScript execution vulnerability in the Custom Logic policy block worker that allows authenticated Standard Registry users to execute arbitrary code by passing user-supplied JavaScript expressions directly to the Node.js Function() constructor without isolation. Attackers can import native Node.js modules to read arbitrary files from the container filesystem, access process environment variables containing sensitive credentials such as RSA private keys, JWT signing keys, and API tokens, and forge valid authentication tokens for any user including administrators.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.55% probability of exploitation · percentile 41.4% · 2026-06-18T12:00:27Z
Published2026-04-09
Last modified2026-05-01

Underlying weaknesses· 1

CWE-668

References

  1. https://github.com/hashgraph/guardian/commit/45fbe2f7e0e8feee30105d42d66ed63fb6177ebe
  2. https://github.com/hashgraph/guardian/pull/5929
  3. https://www.vulncheck.com/advisories/hashgraph-guardian-unsandboxed-javascript-execution-rce

1

TypeTargetConfidenceTier
WeaknessExposure of Resource to Wrong Spherecwe-6680%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-31992
CVE
CVE-2026-44643
CVE
CVE-2026-41378
CVE
CVE-2026-7474
CVE
CVE-2026-32971
CVE
CVE-2026-39842
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.