{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26954", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-16T22:20:28.611Z", "datePublished": "2026-03-13T15:51:13.413Z", "dateUpdated": "2026-03-16T17:06:55.221Z"}, "containers": {"cna": {"title": "SandboxJS has a Sandbox Escape", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv"}], "affected": [{"vendor": "nyariv", "product": "SandboxJS", "versions": [{"version": "< 0.8.34", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T15:51:13.413Z"}, "descriptions": [{"lang": "en", "value": "SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34."}], "source": {"advisory": "GHSA-6r9f-759j-hjgv", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T17:06:51.837071Z", "id": "CVE-2026-26954", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T17:06:55.221Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26954", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T17:06:51.837071Z"}}}], "references": [{"url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T17:06:45.533Z"}}], "cna": {"title": "SandboxJS has a Sandbox Escape", "source": {"advisory": "GHSA-6r9f-759j-hjgv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nyariv", "product": "SandboxJS", "versions": [{"status": "affected", "version": "< 0.8.34"}]}], "references": [{"url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv", "name": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T15:51:13.413Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26954", "state": "PUBLISHED", "dateUpdated": "2026-03-16T17:06:55.221Z", "dateReserved": "2026-02-16T22:20:28.611Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-13T15:51:13.413Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nyariv:sandboxjs:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "21637BCD-7C1B-48F0-836C-399CD3946F7D", "versionEndExcluding": "0.8.34", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34."}], "id": "CVE-2026-26954", "lastModified": "2026-03-17T20:13:06.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-13T19:54:31.143", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.8.34)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "SandboxJS", "source": "cna", "vendor": "nyariv"}, "product": "sandboxjs", "vendor": "nyariv"}], "analysis": {"en": {"generated_at": "2026-03-17T21:43:09.240196+00:00", "value": {"mitigation_remediation": ["Update SandboxJS to version 0.8.34 or later.", "Verify that all dependencies are up to date and that no untrusted input is passed to the sandbox."], "summary": {"action": "Patch", "impact": "Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the nyariv sandboxjs library for all versions prior to 0.8.34. Any deployment that includes a version of SandboxJS older than 0.8.34 is potentially exploitable.", "description_and_impact": "SandboxJS is a JavaScript sandboxing library that, before version 0.8.34, allows an attacker to obtain arrays containing Function objects. By combining such an array with Object.fromEntries, an adversary can construct an object with arbitrary constructible property keys pointing to Function values. This flaw enables a sandbox escape, giving the attacker the ability to execute arbitrary code within the host Node.js process. The weakness aligns with CWE\u201194 (Code Injection).", "risk_and_exploitability": "The CVSS score is 10, indicating critical severity. The EPSS score is less than 1%, suggesting a low probability of real\u2011world exploitation, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is inferred to be local exploitation through providing malicious input or code to the sandboxed environment, and is likely to be exploitable in server\u2011side Node.js applications that use SandboxJS. If the attacker can supply input that is evaluated by SandboxJS, they may escape the sandbox and run arbitrary code."}}}}, "created": "2026-03-16T09:25:04.175345+00:00", "updated": "2026-03-23T12:02:46.882521+00:00", "vendors": ["nyariv", "nyariv$PRODUCT$sandboxjs"]}