CVE-2026-25117
Lifecycle Timeline
2DescriptionCVE.org
pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on /workspace/* routes allows challenge authors to inject arbitrary javascript which runs on the same origin as http[:]//dojo[.]website. This is a sandbox escape leading to arbitrary javascript execution as the dojo's origin. A challenge author can craft a page that executes any dangerous actions that the user could. Version e33da14449a5abcff507e554f66e2141d6683b0a patches the issue.
AnalysisAI
pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on /workspace/* routes allows challenge authors to inject arbitrary javascript which runs on the same origin as http[:]//dojo[.]website.
Technical ContextAI
Classified as CWE-20 (Improper Input Validation). pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on /workspace/* routes allows challenge authors to inject arbitrary javascript which runs on the same origin as http[:]//dojo[.]website. This is a sandbox escape leading to arbitrary javascript execution as the dojo's origin. A challenge author can craft a page that executes any dangerous actions that the user could. Version e33da14449a5abcff507e5
Affected ProductsAI
pwn.college DOJO is an education platform for learning cybersecurity
RemediationAI
Monitor vendor advisories for a patch.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today