Skip to main content

QuickJS-NG EUVDEUVD-2026-29291

| CVE-2026-37630 HIGH
Code Injection (CWE-94)
2026-05-11 mitre GHSA-5m3h-w8g2-q63h
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
May 12, 2026 - 14:29 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
7.3 (HIGH)
CVE Published
May 11, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 00:00 nvd
HIGH 7.3

DescriptionCVE.org

An issue in QuickJS-NG v.0.12.1 allows an attacker to execute arbitrary code via the js_mapped_arguments_mark function

AnalysisAI

Remote code execution in QuickJS-NG 0.12.1 allows unauthenticated network attackers to execute arbitrary code through the js_mapped_arguments_mark function. The vulnerability enables attackers to achieve code injection with low confidentiality, integrity, and availability impact via network-accessible JavaScript engine exploitation. EPSS score of 0.02% (5th percentile) indicates very low predicted exploitation probability, and no active exploitation has been publicly reported at time of analysis.

Technical ContextAI

QuickJS-NG is a fork of QuickJS, a small and embeddable JavaScript engine that supports ES2020 features. The vulnerability resides in the js_mapped_arguments_mark function, which is part of the garbage collection/memory marking subsystem responsible for managing JavaScript function arguments objects. CWE-94 (Code Injection) indicates the flaw allows externally-supplied code or commands to be executed within the interpreter's context. This type of vulnerability in JavaScript engines typically arises from improper validation or sanitization during parsing, compilation, or runtime execution phases, allowing specially-crafted JavaScript code to break out of intended execution boundaries.

RemediationAI

Upgrade QuickJS-NG to a version newer than 0.12.1 if available; consult the GitHub issue tracker at github.com/quickjs-ng/quickjs/issues/1400 for patch status and release information. As of this analysis, no specific patched version number has been independently confirmed from the provided data sources, and the GitHub issue link should be reviewed for maintainer responses, commits, or release notes addressing CVE-2026-37630. If immediate patching is not feasible, implement compensating controls: restrict QuickJS-NG exposure to trusted JavaScript sources only, deploy network segmentation to isolate systems running vulnerable versions, and implement input validation/sanitization for any externally-supplied JavaScript code before execution. For embedded or IoT deployments, disable network accessibility to the JavaScript engine interface if the use case permits local-only operation. Monitor the official QuickJS-NG repository for security advisories at https://github.com/quickjs-ng/quickjs. Note that restricting network access (blocking AV:N) fundamentally changes the attack surface but may conflict with legitimate use cases requiring remote script execution.

Share

EUVD-2026-29291 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy