CVE-2026-26954

Name of the Vulnerable Software and Affected Versions SandboxJS versions prior to 0.8.34

Description SandboxJS is a JavaScript sandboxing library susceptible to a sandbox escape. The issue arises from the ability to obtain arrays containing the Function constructor. Combined with Object.fromEntries, this allows constructing objects with properties that can execute arbitrary code, leading to a complete escape of the sandbox. The provided Proof of Concept (PoC) demonstrates the exploitation of this issue using process.getBuiltinModule("child process").execSync("ls", {stdio: "inherit"}) to execute system commands. The vulnerability can result in Remote Code Execution (RCE). The API endpoint is not explicitly mentioned. The vulnerable variable is Function.

Recommendations Versions prior to 0.8.34 should be updated to version 0.8.34 or later.