CVE-2026-32723 - Vulnerability Analysis
MediumCVSS: 4.7Last Updated: March 19, 2026
SandboxJS - Execution Quota Bypass
Published: March 18, 2026Updated: March 19, 2026PoC Available
Overview
SandboxJS < 0.8.35 contains an execution-quota bypass caused by shared global tick state used in timer string handlers, letting attackers bypass sandbox execution quotas in multi-tenant scenarios, exploit requires concurrent sandboxes.
Severity & Score
Severity: Medium
CVSS Score: 4.7
Impact
Attackers can bypass sandbox execution quotas, potentially leading to resource exhaustion or denial of service.
Mitigation
Update to version 0.8.35 or later.
References
Related Resources
Details
- CVE ID
- CVE-2026-32723
- Severity
- Medium
- CVSS Score
- 4.7
- Type
- sandbox_escape
- Status
- confirmed
CWE
- CWE-362
CVSS Metrics
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H