What is CVE-2026-26954?

CVE-2026-26954 is a critical-severity vulnerability in Nyariv Sandboxjs, classified under Code Injection. CVSS score: 10.0/10. Published 2026-03-13.

How severe is CVE-2026-26954?

Critical severity. CVSS v3 base score is 10.0 out of 10.

RCE in Nyariv Sandboxjs

CVE-2026-26954

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.001 (26.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected products

Nyariv Sandboxjs — versions < 0.8.34

Weakness classification (CWE)

CWE-94 — Code Injection

References

https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-26954?: CVE-2026-26954 is a critical-severity vulnerability in Nyariv Sandboxjs, classified under Code Injection. CVSS score: 10.0/10. Published 2026-03-13.
How severe is CVE-2026-26954?: Critical severity. CVSS v3 base score is 10.0 out of 10.