Vulnerability in Nyariv Sandboxjs

CVE-2026-32723

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state (`currentTicks.current`) is shared between sandboxes. Timer string handlers are compiled at execution time…

Vulnerability class: Race Condition

EPSS: 0.000 (0.3th percentile) — read the EPSS interpretation.

Affected products

Nyariv Sandboxjs — versions < 0.8.35

Weakness classification (CWE)

CWE-362 — Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)

References

https://github.com/nyariv/SandboxJS/security/advisories/GHSA-7p5m-xrh7-769r (x_refsource_CONFIRM)
https://github.com/nyariv/SandboxJS/commit/cc8f20b4928afed5478d5ad3d1737ef2dcfaac29 (x_refsource_MISC)