Home / Vulnerability Intelligence / CVE-2026-26954

CVE-2026-26954 - Vulnerability Analysis

CriticalCVSS: 10.0

Last Updated: March 16, 2026

SandboxJS - Sandbox Escape

Published: March 13, 2026Updated: March 16, 2026Remote Exploitable

Overview

SandboxJS < 0.8.34 contains a sandbox escape vulnerability caused by obtaining arrays containing Function and using Object.fromEntries to construct arbitrary properties, letting attackers escape the sandbox, exploit requires crafted input.

Severity & Score

Severity: Critical

CVSS Score: 10.0

EPSS Score: 4.7%(Probability of exploitation in next 30 days)

Impact

Attackers can escape the sandbox, potentially executing arbitrary code or bypassing security restrictions.

Mitigation

Update to version 0.8.34 or later.

References

https://github.com/nyariv/SandboxJS/security/advisories/GHSA-6r9f-759j-hjgv

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 14, 2026

🔴 CVE-2026-26954 - Critical (10) SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Fu... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26954/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-26954
Severity: Critical
CVSS Score: 10.0
Type: sandbox_escape
Status: unconfirmed
EPSS: 4.7%
Social Posts: 1

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

4.7%Probability of exploitation in the next 30 days