Critical severity10.0NVD Advisory· Published May 28, 2026· Updated May 28, 2026
CVE-2026-43898
CVE-2026-43898
Description
SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript. This vulnerability is fixed in 0.9.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@nyariv/sandboxjsnpm | < 0.9.6 | 0.9.6 |
Affected products
1Patches
Vulnerability mechanics
References
4- github.com/nyariv/SandboxJS/commit/826865251232611ec94078bab5a18ec875dad4a5nvdPatchWEB
- github.com/nyariv/SandboxJS/security/advisories/GHSA-g8f2-4f4f-5jqwnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-g8f2-4f4f-5jqwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-43898ghsaADVISORY
News mentions
1- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and MoreThe Hacker News · May 18, 2026