PatchSiren cyber security CVE debrief
CVE-2026-12866 silentmatt CVE debrief
CVE-2026-12866 is a critical vulnerability in the expr-eval package, which allows for code execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context. This vulnerability has a CVSS score of 9.2 and is considered critical. The vulnerability was published on June 23, 2026, and has since been modified on the same day. The expr-eval package is used in various applications, and users are advised to update to a patched version as soon as possible.
- Vendor
- silentmatt
- Product
- expr-eval
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-23
- Original CVE updated
- 2026-06-23
- Advisory published
- 2026-06-23
- Advisory updated
- 2026-06-23
Who should care
Developers and administrators using the expr-eval package in their applications should be aware of this vulnerability and take immediate action to mitigate it. This vulnerability can allow attackers to execute arbitrary code, potentially leading to a complete compromise of the application and underlying systems. Users of applications that utilize the expr-eval package should prioritize patching and monitoring to prevent potential attacks.
Technical summary
The expr-eval package is vulnerable to code execution via the toJSFunction() API. The vulnerability is caused by the package's ability to transform user-controlled expressions directly into executable JavaScript using new Function(). This allows attackers to escape the intended expression sandbox and run arbitrary code within the application's context. The vulnerability has a CVSS score of 9.2 and is considered critical. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
This vulnerability has a high defensive priority due to its critical CVSS score and potential impact on applications using the expr-eval package. Users should prioritize patching and monitoring to prevent potential attacks.
Recommended defensive actions
- Update to a patched version of the expr-eval package as soon as possible.
- Review application code to ensure that user-controlled expressions are properly sanitized and validated.
- Implement additional security measures, such as sandboxing and monitoring, to detect and prevent potential attacks.
- Consider using alternative packages or libraries that do not have this vulnerability.
- Monitor application logs and security event logs for potential attacks.
- Perform regular vulnerability scans and penetration testing to identify potential vulnerabilities.
Evidence notes
The evidence for this vulnerability comes from the NVD and CVE.org. The vulnerability was published on June 23, 2026, and has since been modified on the same day. The CVSS score and vector were provided by the NVD. Additional information was obtained from Snyk, which reported the vulnerability.
Official resources
This article is AI-assisted and based on the supplied source corpus.