CVE-2026-34217 | THREATINT

Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to untrusted code; an unexpected and undesired exploit. While this could allow modifying scopes inside the sandbox, code evaluation remains sandboxed and prototypes remain protected throughout the execution. This vulnerability is fixed in 0.8.36.

PUBLISHED Reserved 2026-03-26 | Published 2026-04-06 | Updated 2026-04-06 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-668: Exposure of Resource to Wrong Sphere

Product status

< 0.8.36

affected

References

github.com/...dboxJS/security/advisories/GHSA-hg73-4w7g-q96w exploit

github.com/...dboxJS/security/advisories/GHSA-hg73-4w7g-q96w

cve.org (CVE-2026-34217)

nvd.nist.gov (CVE-2026-34217)

Download JSON