Vulnerability Details CVE-2026-32723
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state (`currentTicks.current`) is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling sandbox's tick object. In multi-tenant / concurrent sandbox scenarios, another sandbox can overwrite `currentTicks.current` between scheduling and execution, causing the timer callback to run under a different sandbox's tick budget and bypass the original sandbox's execution quota/watchdog. Version 0.8.35 fixes this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 2.1%
CVSS Severity
CVSS v3 Score 4.7
References
Products affected by CVE-2026-32723
-
cpe:2.3:a:nyariv:sandboxjs:0.1.0
-
cpe:2.3:a:nyariv:sandboxjs:0.1.1
-
cpe:2.3:a:nyariv:sandboxjs:0.2.0
-
cpe:2.3:a:nyariv:sandboxjs:0.2.1
-
cpe:2.3:a:nyariv:sandboxjs:0.2.2
-
cpe:2.3:a:nyariv:sandboxjs:0.2.3
-
cpe:2.3:a:nyariv:sandboxjs:0.3.0
-
cpe:2.3:a:nyariv:sandboxjs:0.3.1
-
cpe:2.3:a:nyariv:sandboxjs:0.3.10
-
cpe:2.3:a:nyariv:sandboxjs:0.3.11
-
cpe:2.3:a:nyariv:sandboxjs:0.3.12
-
cpe:2.3:a:nyariv:sandboxjs:0.3.13
-
cpe:2.3:a:nyariv:sandboxjs:0.3.14
-
cpe:2.3:a:nyariv:sandboxjs:0.3.15
-
cpe:2.3:a:nyariv:sandboxjs:0.3.16
-
cpe:2.3:a:nyariv:sandboxjs:0.3.17
-
cpe:2.3:a:nyariv:sandboxjs:0.3.18
-
cpe:2.3:a:nyariv:sandboxjs:0.3.2
-
cpe:2.3:a:nyariv:sandboxjs:0.3.3
-
cpe:2.3:a:nyariv:sandboxjs:0.3.4
-
cpe:2.3:a:nyariv:sandboxjs:0.3.5
-
cpe:2.3:a:nyariv:sandboxjs:0.3.6
-
cpe:2.3:a:nyariv:sandboxjs:0.3.7
-
cpe:2.3:a:nyariv:sandboxjs:0.3.8
-
cpe:2.3:a:nyariv:sandboxjs:0.3.9
-
cpe:2.3:a:nyariv:sandboxjs:0.4.0
-
cpe:2.3:a:nyariv:sandboxjs:0.5.0
-
cpe:2.3:a:nyariv:sandboxjs:0.5.2
-
cpe:2.3:a:nyariv:sandboxjs:0.5.3
-
cpe:2.3:a:nyariv:sandboxjs:0.6.0
-
cpe:2.3:a:nyariv:sandboxjs:0.6.1
-
cpe:2.3:a:nyariv:sandboxjs:0.6.2
-
cpe:2.3:a:nyariv:sandboxjs:0.7.0
-
cpe:2.3:a:nyariv:sandboxjs:0.7.1
-
cpe:2.3:a:nyariv:sandboxjs:0.8.0
-
cpe:2.3:a:nyariv:sandboxjs:0.8.1
-
cpe:2.3:a:nyariv:sandboxjs:0.8.10
-
cpe:2.3:a:nyariv:sandboxjs:0.8.11
-
cpe:2.3:a:nyariv:sandboxjs:0.8.12
-
cpe:2.3:a:nyariv:sandboxjs:0.8.14
-
cpe:2.3:a:nyariv:sandboxjs:0.8.15
-
cpe:2.3:a:nyariv:sandboxjs:0.8.15.1
-
cpe:2.3:a:nyariv:sandboxjs:0.8.16
-
cpe:2.3:a:nyariv:sandboxjs:0.8.17
-
cpe:2.3:a:nyariv:sandboxjs:0.8.18
-
cpe:2.3:a:nyariv:sandboxjs:0.8.19
-
cpe:2.3:a:nyariv:sandboxjs:0.8.2
-
cpe:2.3:a:nyariv:sandboxjs:0.8.20
-
cpe:2.3:a:nyariv:sandboxjs:0.8.21
-
cpe:2.3:a:nyariv:sandboxjs:0.8.22
-
cpe:2.3:a:nyariv:sandboxjs:0.8.23
-
cpe:2.3:a:nyariv:sandboxjs:0.8.23-1
-
cpe:2.3:a:nyariv:sandboxjs:0.8.23.2
-
cpe:2.3:a:nyariv:sandboxjs:0.8.23.3
-
cpe:2.3:a:nyariv:sandboxjs:0.8.24
-
cpe:2.3:a:nyariv:sandboxjs:0.8.24-1
-
cpe:2.3:a:nyariv:sandboxjs:0.8.24-2
-
cpe:2.3:a:nyariv:sandboxjs:0.8.25
-
cpe:2.3:a:nyariv:sandboxjs:0.8.26
-
cpe:2.3:a:nyariv:sandboxjs:0.8.27
-
cpe:2.3:a:nyariv:sandboxjs:0.8.28
-
cpe:2.3:a:nyariv:sandboxjs:0.8.29
-
cpe:2.3:a:nyariv:sandboxjs:0.8.3
-
cpe:2.3:a:nyariv:sandboxjs:0.8.30
-
cpe:2.3:a:nyariv:sandboxjs:0.8.31
-
cpe:2.3:a:nyariv:sandboxjs:0.8.4
-
cpe:2.3:a:nyariv:sandboxjs:0.8.5
-
cpe:2.3:a:nyariv:sandboxjs:0.8.6
-
cpe:2.3:a:nyariv:sandboxjs:0.8.7
-
cpe:2.3:a:nyariv:sandboxjs:0.8.8
-
cpe:2.3:a:nyariv:sandboxjs:0.8.9