Execution Quota Bypass in SandboxJS by Nyariv
CVE-2026-32723

4.8MEDIUM

Key Information:

Vendor: Nyariv
Status: Sandboxjs
Vendor: CVE Published:; 18 March 2026

What is CVE-2026-32723?

SandboxJS, a JavaScript sandboxing library, has a significant vulnerability that allows for an execution quota bypass prior to version 0.8.35. This issue arises from a shared global tick state (currentTicks.current) among multiple sandboxes. The tick state is used instead of the sandbox-specific tick object when compiling timer string handlers, which can lead to race conditions in multi-tenant environments. As a result, one sandbox may overwrite the tick state of another, allowing timer callbacks to execute under an incorrect tick budget. This vulnerability could potentially enable malicious actions that exceed the intended limits, compromising the security of the affected applications.

Affected Version(s)

SandboxJS < 0.8.35

References

https://github.com/nyariv/SandboxJS/security/advisories/G...

x_refsource_CONFIRM

https://github.com/nyariv/SandboxJS/commit/cc8f20b4928afe...

x_refsource_MISC

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 18, 2026
Vulnerability Reserved
Mar 13, 2026

CVE-2026-32723 Data

JSON