CVE-2026-26954 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code), affecting the nyariv SandboxJS JavaScript sandboxing library versions prior to 0.8.34. SandboxJS is designed to isolate and securely execute untrusted JavaScript code by restricting access to dangerous functions and objects. However, this vulnerability arises because attackers can obtain arrays containing the JavaScript Function constructor, which allows dynamic code execution. By combining this with Object.fromEntries, an attacker can craft an object with a property whose key is any constructible property and whose value is the Function constructor, effectively escaping the sandbox restrictions. This escape enables arbitrary code execution outside the sandbox, compromising the security guarantees SandboxJS aims to provide. The vulnerability requires no authentication or user interaction and can be exploited remotely if the sandboxed environment processes attacker-controlled input. The CVSS v3.1 score is 10.0 (critical), reflecting the ease of exploitation and the severe impact on confidentiality, integrity, and availability. The issue was publicly disclosed on March 13, 2026, and fixed in version 0.8.34 of SandboxJS. No known exploits in the wild have been reported yet, but the critical nature demands immediate attention.

The impact of CVE-2026-26954 is severe for organizations using vulnerable versions of SandboxJS. Successful exploitation allows attackers to break out of the sandbox environment, leading to arbitrary code execution on the host system. This can result in full system compromise, data theft, unauthorized access to sensitive information, and disruption of services. Since SandboxJS is used to safely run untrusted JavaScript code, this vulnerability undermines the fundamental security model, potentially affecting web applications, development tools, and server-side JavaScript environments that rely on sandboxing for security. The vulnerability's remote exploitability without authentication or user interaction increases the risk of widespread attacks. Organizations handling sensitive data or operating critical infrastructure with SandboxJS integration face heightened risks of data breaches, service outages, and reputational damage.

To mitigate CVE-2026-26954, organizations should immediately upgrade all instances of nyariv SandboxJS to version 0.8.34 or later, where the vulnerability is patched. Additionally, review and audit any custom sandboxing implementations or wrappers around SandboxJS to ensure they do not inadvertently expose the Function constructor or allow Object.fromEntries misuse. Implement strict input validation and sanitization for any data processed within sandboxed environments to reduce the risk of injection attacks. Employ runtime monitoring and anomaly detection to identify suspicious code execution patterns indicative of sandbox escapes. Where possible, isolate sandboxed environments further using containerization or virtualization to limit the blast radius of potential exploits. Maintain an inventory of all applications and services using SandboxJS to ensure comprehensive patching. Finally, stay informed about updates from the vendor and security advisories related to SandboxJS and similar sandboxing libraries.