CVE-2026-34208 - Vulnerability Analysis
CriticalCVSS: 10.0Last Updated: April 6, 2026
SandboxJS - Prototype Pollution
Published: April 6, 2026Updated: April 6, 2026Remote Exploitable
Overview
SandboxJS < 0.8.36 contains a prototype pollution caused by exposed callable constructor path allowing attacker code to write arbitrary properties into host global objects, letting attackers persist mutations across sandbox instances, exploit requires crafted code execution within sandbox.
Severity & Score
Severity: Critical
CVSS Score: 10.0
Impact
Attackers can persistently modify host global objects, potentially leading to privilege escalation or arbitrary code execution.
Mitigation
Update to version 0.8.36 or later.
Related Resources
Details
- CVE ID
- CVE-2026-34208
- Severity
- Critical
- CVSS Score
- 10.0
- Type
- prototype_pollution
- Status
- new
CWE
- CWE-693
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L