CVE-2026-25117 HIGH

CVE-2026-25117: pwn.college DOJO vulnerable to sandbox escape leading to arbitrary javascript execution

Vendor Pwncollege

Product dojo

Weakness CWE-20 · Input validation

Published January 29, 2026

Last update February 2, 2026

View on NVD All CVEs

CVSS base score

8.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N

What the vulnerability does

Description

pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on `/workspace/*` routes allows challenge authors to inject arbitrary javascript which runs on the same origin as `http[:]//dojo[.]website`. This is a sandbox escape leading to arbitrary javascript execution as the dojo's origin. A challenge author can craft a page that executes any dangerous actions that the user could. Version e33da14449a5abcff507e554f66e2141d6683b0a patches the issue.

Key dates

Disclosure timeline

January 29, 2026 CVE published

February 2, 2026 Record updated

Identifiers

CVE CVE-2026-25117

CWE CWE-20

CVSS 8.3 / HIGH

Affected versions

Vendor Pwncollege

Product dojo

Affected < e33da14449a5abcff507e554f66e2141d6683b0a