CVE-2026-34208
Published April 6, 2026 · Updated April 6, 2026
What This Means
CVE-2026-34208 is a critical vulnerability in the SandboxJS library, with a CVSS score of 10. The flaw allows attackers to bypass protections against direct assignment to global objects through an exposed callable constructor, enabling them to modify hosts' global objects and persist changes across sandbox instances. To mitigate this risk, upgrade to SandboxJS version 0.8.36 or later immediately.
Official Description+
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36.
Recommended Actions
- Check if your systems use any of the affected products listed above.
- Apply vendor patches immediately if available.
- Monitor vendor advisories for updates and additional mitigations.
- Review logs for indicators of compromise related to CVE-2026-34208.