What is the CVSS score of CVE-2026-23830?

CVE-2026-23830 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Sandboxjs are affected by CVE-2026-23830?

A critical sandbox escape vulnerability in SandboxJS allows attackers to break out of the JavaScript sandbox and execute arbitrary code with full application privileges.. A patch is available.

Is there a public PoC exploit available for CVE-2026-23830?

Yes, a public proof-of-concept exploit is available for CVE-2026-23830. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2026-23830?

Within 24 hours: Inventory all applications and services using SandboxJS and identify affected versions; assess whether untrusted code execution occurs in your environment. Within 7 days: Apply vendor patch to upgrade SandboxJS to version 0.8.26 or later across all systems; prioritize production environments. Within 30 days: Conduct security testing to validate patch effectiveness; review logs for signs of exploitation attempts.

Sandboxjs CVE-2026-23830

CRITICAL

Code Injection (CWE-94)

2026-01-28 security-advisories@github.com

GHSA-wxhw-j4hc-fmq6

RCE Sandboxjs

10.0

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

10.0 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 12, 2026 - 20:47 vuln.today

Public exploit code

Patch released

Feb 12, 2026 - 20:47 nvd

Patch available

CVE Published

Jan 28, 2026 - 00:15 nvd

CRITICAL 10.0

DescriptionGitHub Advisory

SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to AsyncFunction not being isolated in SandboxFunction. The library attempts to sandbox code execution by replacing the global Function constructor with a safe, sandboxed version (SandboxFunction). This is handled in utils.ts by mapping Function to sandboxFunction within a map used for lookups. However, before version 0.8.26, the library did not include mappings for AsyncFunction, GeneratorFunction, and AsyncGeneratorFunction. These constructors are not global properties but can be accessed via the .constructor property of an instance (e.g., (async () => {}).constructor). In executor.ts, property access is handled. When code running inside the sandbox accesses .constructor on an async function (which the sandbox allows creating), the executor retrieves the property value. Since AsyncFunction was not in the safe-replacement map, the executor returns the actual native host AsyncFunction constructor. Constructors for functions in JavaScript (like Function, AsyncFunction) create functions that execute in the global scope. By obtaining the host AsyncFunction constructor, an attacker can create a new async function that executes entirely outside the sandbox context, bypassing all restrictions and gaining full access to the host environment (Remote Code Execution). Version 0.8.26 patches this vulnerability.

AnalysisAI

SandboxJS library prior to 0.8.26 has a CVSS 10.0 sandbox escape via AsyncFunction constructor, allowing execution of arbitrary code outside the sandbox boundary.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send crafted JavaScript code to SandboxJS

Exploit

Access AsyncFunction constructor

Execution

Escape sandbox isolation

Impact

Execute arbitrary code outside sandbox

Access

Send crafted JavaScript code to SandboxJS

Exploit

Access AsyncFunction constructor

Execution

Escape sandbox isolation

Impact

Execute arbitrary code outside sandbox

Vulnerability AssessmentAI

Exploitation	SandboxJS versions prior to 0.8.26 with sandboxed code execution enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 10.0 with PoC and patch. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker submits JavaScript code that uses the AsyncFunction constructor to break out of the SandboxJS sandbox, gaining access to the host Node.js environment and executing arbitrary code with the application's full privileges.
Remediation	Update to SandboxJS 0.8.26 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all applications and services using SandboxJS and identify affected versions; assess whether untrusted code execution occurs in your environment. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-23830 vulnerability details – vuln.today

Back

Sandboxjs CVE-2026-23830

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code