CVE-2026-25117

CVSS v4.0

8.3

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

Name of the Vulnerable Software and Affected Versions pwn.college DOJO versions prior to commit e33da14449a5abcff507e554f66e2141d6683b0a

Description A missing sandbox implementation on routes starting with /workspace/* allows challenge authors to inject arbitrary JavaScript code. This code executes within the same origin as http[:]//dojo[.]website, resulting in a sandbox escape and arbitrary JavaScript execution with the privileges of the DOJO origin. An attacker, specifically a challenge author, can create a malicious page that performs dangerous actions on behalf of a user. The affected API endpoint is /workspace/*. The vulnerable component is the sandboxing mechanism for routes starting with /workspace/*.

Recommendations Update to commit e33da14449a5abcff507e554f66e2141d6683b0a or a later version to address the missing sandboxing issue.

Exploit

Fix

RCE

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-79

Related Identifiers

CVE-2026-25117

GHSA-WVCF-9XM8-7MRG

Affected Products

Dojo

CVE-2026-25117

Weakness Enumeration

Related Identifiers

Affected Products

References · 7