Sandbox Escape Vulnerability in pwn.college's DOJO Education Platform
CVE-2026-25117

8.3HIGH

Key Information:

Vendor: Pwncollege
Status: Dojo
Vendor: CVE Published:; 29 January 2026

What is CVE-2026-25117?

The DOJO education platform by pwn.college has a vulnerability that allows challenge authors to execute arbitrary JavaScript due to insufficient sandboxing on the /workspace/* routes. Prior to the commit e33da14449a5abcff507e554f66e2141d6683b0a, this oversight enabled the injection and execution of JavaScript with the same origin as the DOJO website, potentially allowing challenge authors to perform harmful actions that are destructive to users. This vulnerability has been mitigated in the specified commit.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

dojo < e33da14449a5abcff507e554f66e2141d6683b0a

References

https://github.com/pwncollege/dojo/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/pwncollege/dojo/commit/e33da14449a5abc...

x_refsource_MISC

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Jan 29, 2026
Vulnerability Reserved
Jan 29, 2026

JSON

Pwncollege