cbcvebase.
CVE-2026-43898
published 2026-05-28

CVE-2026-43898: SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal…

PriorityP263critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.47%
37.3th percentile
SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript. This vulnerability is fixed in 0.9.6.

Affected

2 ranges
VendorProductVersion rangeFixed in
nyarivsandboxjs< 0.9.60.9.6
nyarivsandboxjs>= 0 < 0.9.60.9.6
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.