CVE-2026-34217
SandboxJS has a Sandbox Escape via Prop Object Leak in New Handler
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to untrusted code; an unexpected and undesired exploit. While this could allow modifying scopes inside the sandbox, code evaluation remains sandboxed and prototypes remain protected throughout the execution. This vulnerability is fixed in 0.8.36.
| CWE | CWE-668 |
| Vendor | nyariv |
| Product | sandboxjs |
| Published | Apr 6, 2026 |
| Last Updated | Apr 6, 2026 |
Stay Ahead of the Next One
Get instant alerts for nyariv sandboxjs
Be the first to know when new unknown vulnerabilities affecting nyariv sandboxjs are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
nyariv / SandboxJS
< 0.8.36