CRITICAL
silentmatt
CVE published 2026-06-23
CVE-2026-12866
CVE-2026-12866 is a critical vulnerability in the expr-eval package, which allows for code execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox an [truncated]