Nyariv Sandboxjs
14 CVEs affecting Nyariv Sandboxjs. Latest disclosed: 2026-05-28. Critical: 10, High: 0.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-43898 | Critical | 10.0 | 2026-05-28 | SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal… |
CVE-2026-34208 | Critical | 10.0 | 2026-04-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this p… |
CVE-2026-26954 | Critical | 10.0 | 2026-03-13 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an… |
CVE-2026-25586 | Critical | 10.0 | 2026-02-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables pro… |
CVE-2026-25520 | Critical | 10.0 | 2026-02-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get a… |
CVE-2026-25587 | Critical | 10.0 | 2026-02-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Ma… |
CVE-2026-25641 | Critical | 10.0 | 2026-02-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validatio… |
CVE-2026-25142 | Critical | 10.0 | 2026-02-02 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, whi… |
CVE-2026-23830 | Critical | 10.0 | 2026-01-27 | SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `Sandbo… |
CVE-2026-25881 | Critical | 9.1 | 2026-02-09 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laund… |
CVE-2026-34217 | | 2026-04-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrust… | |
CVE-2026-34211 | | 2026-04-06 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lisp… | |
CVE-2026-32723 | | 2026-03-18 | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state (`currentTicks.current`) is… | |
CVE-2025-34146 | | 2025-07-31 | A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via… |