Code Execution Vulnerability in expr-eval Package by SilentMatt
CVE-2026-12866

9.2CRITICAL

Key Information:

Vendor: SilentMatt
Status: Expr-eval
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-12866?

The expr-eval package is susceptible to a security flaw that enables code execution through the toJSFunction() API. Attackers can exploit this vulnerability by introducing specially crafted expressions, which, upon compilation into native code using new Function(), result in the execution of arbitrary JavaScript. This threat poses a significant risk as it allows malicious users to escape the sandbox of intended expressions and execute unauthorized code within the application’s environment.

Affected Version(s)

expr-eval 0

References

https://security.snyk.io/vuln/SNYK-JS-EXPREVAL-15054690

https://github.com/silentmatt/expr-eval/blob/master/src/e...

https://github.com/silentmatt/expr-eval/issues/292

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 22, 2026

Credit

Dinh Twan Doan

CVE-2026-12866 Data

JSON