CVE-2026-34208Nyariv · Sandboxjs
Vulnerability data via NVD (ingested)
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-34208product:"Nyariv Sandboxjs"http.html:"Sandboxjs"More intel sources (5)
vuln:CVE-2026-34208vulnerabilities.cve_id: CVE-2026-34208CVE-2026-34208CVE-2026-34208"CVE-2026-34208" exploit -site:nvd.nist.gov