SandboxJS fixes Critical sandbox escape to host code execution (CVE-2026-26954)

What happened

A GitHub Security Advisory for @nyariv/sandboxjs (SandboxJS) reports a Critical sandbox escape (CVE-2026-26954). The advisory states that sandboxed code can obtain an array containing the host Function constructor and use it to escape the sandbox, resulting in host code execution.

Who is impacted

• Projects that execute untrusted or semi-trusted JavaScript using SandboxJS.
• Affected versions: <= 0.8.33.
• Patched version: 0.8.34.

What to do now

• Upgrade immediately to SandboxJS 0.8.34 (or newer).
• If you rely on SandboxJS for tenant isolation or running user-provided scripts, assume prior executions may have had a path to sandbox escape → RCE and review runtime isolation (e.g., least-privilege OS user, container/jail boundaries, network egress restrictions).
• Inventory where @nyariv/sandboxjs is used (including transitive dependencies) and prioritize internet-exposed or multi-tenant services.

Additional Information

• CVSS (v3.1): 10.0 (Critical), vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
• Weakness: CWE-94.
• Advisory notes example paths to obtain Function, e.g. Object.entries(this).at(1) or Object.values(this).slice(1, 2), and describes using Object.fromEntries to construct an object enabling sandbox escape.
• Credit: finder listed as c0rydoras.