CVE- 2026-23830 is described as a critical SandboxJS flaw (CVSS 10) that constitutes a sandbox escape, allowing an attacker to run arbitrary code on the host machine with full privileges. The vulnerability stems from SandboxJS failing to lock down the Async family of functions, specifically AsyncFunction, GeneratorFunction, and AsyncGeneratorFunction, which can be accessed through an instance’s .constructor property.
By creating an async function inside the sandbox, such as (async ()=>{}).constructor, an attacker can obtain the real native AsyncFunction constructor from the host environment, meaning the sandbox is effectively dissolved. The advisory notes that once an attacker has this native constructor, they can create new functions that execute in the global scope, bypassing restrictions and achieving remote code execution.
The flaw affects all versions of SandboxJS prior to 0.8.26, and maintainers have released a patch in version 0.8.26 that correctly maps and isolates these asynchronous function constructors; upgrading immediately is advised. The article, dated 29 January 2026, emphasises the severity and likelihood of exploitation given the CVSS 10 rating.