cbcvebase.
CVE-2026-25587
published 2026-02-06

CVE-2026-25587: SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting…

PriorityP353critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.65%
46.3th percentile
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escaped. This vulnerability is fixed in 0.8.29.

Affected

2 ranges
VendorProductVersion rangeFixed in
nyarivsandboxjs< 0.8.290.8.29
nyarivsandboxjs>= 0 < 0.8.290.8.29

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
ghsa10.0CRITICAL
osv10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.