JavaScript Sandboxing Library Vulnerability in SandboxJS by Nyariv
CVE-2026-34208

10CRITICAL

Key Information:

Vendor: Nyariv
Status: Sandboxjs
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-34208?

CVE-2026-34208 is a vulnerability found in the SandboxJS library, a JavaScript sandboxing solution developed by Nyariv. This library is designed to create isolated environments for executing untrusted JavaScript code safely, which is essential for applications that rely on client-side scripts to prevent malicious activities. The vulnerability arises from a flaw in how the library manages access to global objects. Specifically, prior to version 0.8.36, SandboxJS allowed attackers to bypass protections against direct assignment to these global objects. By exploiting this flaw, attackers can manipulate or inject arbitrary properties into host global objects, which compromises the integrity of the sandbox environment and allows the persistence of these changes across multiple sandbox instances within the same process. This could lead to significant security risks for organizations that use SandboxJS, as it opens avenues for executing unauthorized actions or even injecting malicious behaviors into applications.

Potential impact of CVE-2026-34208

Unauthorized Data Manipulation: Attackers leveraging this vulnerability can alter global objects, leading to changes in application behavior and data manipulation that may result in loss of integrity and confidentiality of sensitive data processed by applications using SandboxJS.
Persistent Security Compromises: The ability to persistently modify host global objects across different sandbox instances means that once the vulnerability is exploited, the malicious changes could remain even after the sandbox is reset, making it difficult for organizations to identify and remediate the breach.
Increased Attack Surface: By facilitating the execution of arbitrary code within the sandbox, this vulnerability exposes applications to a wider attack surface, potentially allowing attackers to execute further exploits, escalate privileges, or move laterally within an organization’s network.

Affected Version(s)

SandboxJS < 0.8.36

References

https://github.com/nyariv/SandboxJS/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 26, 2026

CVE-2026-34208 Data

JSON