CVE-2026-43898 CRITICAL

CVE-2026-43898: SandboxJS: Sandbox escape via Function.caller leakage of internal call op

Vendor Nyariv
Product SandboxJS
Weakness CWE-94 · Code injection
Published May 28, 2026
Last update May 28, 2026

CVSS base score

10.0/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript. This vulnerability is fixed in 0.9.6.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
May 28, 2026 Record updated