CVE-2026-34458: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in sandboxie-plus Sandboxie
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions (EditAdminOnly and ConfigPassword) and inject arbitrary directives into the global Sandboxie.ini configuration file. The background service skips authorization checks for IPC messages targeting sections beginning with UserSettings_, but does not sanitize CRLF characters in either the value parameter (via MSGID_SBIE_INI_ADD_SETTING) or the setting name parameter (via MSGID_SBIE_INI_SET_SETTING). An attacker can inject a new sandbox section header with unrestricted permissions, enabling sandbox escape and SYSTEM privilege escalation. This issue has been fixed in version 1.17.3.
AI Analysis
Technical Summary
Sandboxie-Plus, an open source sandbox isolation tool for Windows, suffers from an INI injection vulnerability (CWE-93) in versions prior to 1.17.3. The background service processes IPC messages targeting UserSettings_ sections without sanitizing CRLF characters in the value or setting name parameters. This allows a standard local user to inject new sandbox section headers with elevated permissions by bypassing EditAdminOnly and ConfigPassword restrictions. The vulnerability enables sandbox escape and SYSTEM-level privilege escalation. The vulnerability has been addressed in version 1.17.3.
Potential Impact
A local attacker with standard user privileges can exploit this vulnerability to inject arbitrary configuration directives into the global Sandboxie.ini file. This leads to the creation of sandbox sections with unrestricted permissions, allowing the attacker to escape the sandbox environment and escalate privileges to SYSTEM level. The CVSS 4.0 score of 9.3 reflects the critical nature of this vulnerability with high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
This vulnerability is fixed in Sandboxie-Plus version 1.17.3. Users and administrators should upgrade to version 1.17.3 or later to remediate this issue. No other mitigations are indicated by the vendor advisory. Patch status is confirmed by the vendor's versioning information.
CVE-2026-34458: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in sandboxie-plus Sandboxie
Description
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions (EditAdminOnly and ConfigPassword) and inject arbitrary directives into the global Sandboxie.ini configuration file. The background service skips authorization checks for IPC messages targeting sections beginning with UserSettings_, but does not sanitize CRLF characters in either the value parameter (via MSGID_SBIE_INI_ADD_SETTING) or the setting name parameter (via MSGID_SBIE_INI_SET_SETTING). An attacker can inject a new sandbox section header with unrestricted permissions, enabling sandbox escape and SYSTEM privilege escalation. This issue has been fixed in version 1.17.3.
CVSS v4.0
Score 9.3critical
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Sandboxie-Plus, an open source sandbox isolation tool for Windows, suffers from an INI injection vulnerability (CWE-93) in versions prior to 1.17.3. The background service processes IPC messages targeting UserSettings_ sections without sanitizing CRLF characters in the value or setting name parameters. This allows a standard local user to inject new sandbox section headers with elevated permissions by bypassing EditAdminOnly and ConfigPassword restrictions. The vulnerability enables sandbox escape and SYSTEM-level privilege escalation. The vulnerability has been addressed in version 1.17.3.
Potential Impact
A local attacker with standard user privileges can exploit this vulnerability to inject arbitrary configuration directives into the global Sandboxie.ini file. This leads to the creation of sandbox sections with unrestricted permissions, allowing the attacker to escape the sandbox environment and escalate privileges to SYSTEM level. The CVSS 4.0 score of 9.3 reflects the critical nature of this vulnerability with high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
This vulnerability is fixed in Sandboxie-Plus version 1.17.3. Users and administrators should upgrade to version 1.17.3 or later to remediate this issue. No other mitigations are indicated by the vendor advisory. Patch status is confirmed by the vendor's versioning information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-27T18:18:14.895Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fa4dc2cbff5d861021529c
Added to database: 5/5/2026, 8:06:26 PM
Last enriched: 5/13/2026, 3:40:28 AM
Last updated: 6/20/2026, 3:31:01 AM
Views: 150
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.