cbcvebase.
CVE-2026-25586
published 2026-02-06

CVE-2026-25586: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables…

PriorityP260critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.64%
45.9th percentile
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to __proto__ and other blocked prototype properties, enabling host Object.prototype pollution and persistent cross-sandbox impact. This vulnerability is fixed in 0.8.29.

Affected

2 ranges
VendorProductVersion rangeFixed in
nyarivsandboxjs< 0.8.290.8.29
nyarivsandboxjs>= 0 < 0.8.290.8.29
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.