CVE-2026-34208 — AI Deep Analysis Summary

🚨 **Essence**: SandboxJS 0.8.36- has a critical flaw allowing **constructor path bypass**. 📉 **Consequences**: Attackers can modify the **host global object properties**, breaking the security sandbox entirely.

🛡️ **CWE-693**: Protection Mechanism Failure. The **global object protection** is flawed. The vulnerability stems from **constructor path manipulation**, bypassing intended safeguards.

👥 **Vendor**: nyariv. 📦 **Product**: SandboxJS. ⚠️ **Affected**: Versions **0.8.36 and earlier**. If you use this security assessment tool, you are at risk.

💀 **Privileges**: High. Hackers can **modify host global object attributes**. This breaks isolation, potentially leading to **full environment compromise** or data leakage within the sandboxed context.

🔓 **Threshold**: **LOW**. CVSS indicates **AV:N** (Network), **AC:L** (Low Complexity), **PR:N** (No Privileges), **UI:N** (No User Interaction). Easy to exploit remotely without auth.

🕵️ **Public Exp?**: **No**. The `pocs` array is empty. No public Proof-of-Concept or wild exploitation code is currently available, though the flaw is clear.

🔍 **Self-Check**: Check your SandboxJS version. If it is **< 0.8.36**, you are vulnerable. Use package managers or `npm list` to verify installed versions immediately.

✅ **Fixed?**: Yes. The advisory (GHSA-2gg9-6p7w-6cpj) confirms the issue. **Upgrade to version 0.8.36 or later** to apply the official patch and restore protection.

🚧 **No Patch?**: If stuck on old versions, **isolate the environment**. Restrict network access to the SandboxJS instance. Monitor for unexpected global object changes. Treat it as **untrusted input**.

🔥 **Urgency**: **HIGH**. CVSS Score implies **Critical Impact** (C:H, I:H). Despite no public PoC, the low exploitation barrier makes it a prime target. **Patch immediately**.