CVE-2026-34208

EUVD-2026-19297

06.04.2026, 16:16

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 50%

Affected Products (NVD)

Vendor	Product	Version
nyariv	sandboxjs	𝑥 < 0.8.36

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj

Common Weakness Enumeration

CWE-693 - Protection Mechanism Failure
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

References

https://github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj