CVE-2026-26954

| EUVD-2026-12043 CRITICAL
2026-03-13 GitHub_M GHSA-6r9f-759j-hjgv
10.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-12043
CVE Published
Mar 13, 2026 - 15:51 nvd
CRITICAL 10.0

Tags

RCE Code Injection Sandboxjs

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34.

Analysis

SandboxJS sandbox escape before 0.8.34 via Function access through arrays. CVSS 10.0.

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all applications and dependencies using SandboxJS to identify exposure scope; isolate or disable affected services if operationally feasible. Within 7 days: Implement network segmentation to restrict lateral movement from compromised systems; deploy WAF rules to detect exploitation attempts; establish enhanced monitoring for suspicious JavaScript execution patterns. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

50
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +50
POC: 0

Share

CVE-2026-26954 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy