CVE-2026-34208

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

10.0 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L                                    

Vulnerability Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36.

Vulnerability Details

Published Date

April 03, 2026

Last Modified

April 09, 2026

CWE ID

CWE-693

Source

GitHub

Vendor

npm

Product

@nyariv/sandboxjs

External References

https://github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj
https://github.com/advisories/GHSA-2gg9-6p7w-6cpj

CVE-2026-34208

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment