CRITICAL
nyariv
CVE published 2026-05-28
CVE-2026-43898
A critical sandbox escape vulnerability in SandboxJS prior to version 0.9.6 allows sandboxed JavaScript code to break containment and execute arbitrary host JavaScript. The flaw stems from sandbox-defined functions exposing `Function.caller`, which enables recovery of the internal `LispType.Call` runtime callback. An attacker can invoke this callback with crafted context and object values to extract block [truncated]