CVE 9.8 CRITICAL

CVE-2026-12866_CVE-2026-12866

June 23, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.

AI Analysis

Code Execution vulnerability in expr-eval package via toJSFunction() API

Basic Information

ID CVE-2026-12866

Source snyk

Published Jun 23, 2026 at 05:00

Affected Product

Vendor silentmatt

Product expr-eval

Affected Versions n/a expr-eval 0

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor silentmatt

Product expr-eval

References

{
    "lastseen": "",
    "description": "All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.",
    "published": "2026-06-23T05:00:00.763Z",
    "modified": "2026-06-23T05:00:00.763Z",
    "type": "cve",
    "title": "CVE-2026-12866",
    "source": "snyk",
    "references": "https://security.snyk.io/vuln/SNYK-JS-EXPREVAL-15054690\nhttps://github.com/silentmatt/expr-eval/blob/master/src/expression.js%23L55\nhttps://github.com/silentmatt/expr-eval/issues/292",
    "id": "CVE-2026-12866",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "n/a expr-eval 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "expr-eval",
    "version": "0",
    "vendor": "silentmatt",
    "ai_description": "Code Execution vulnerability in expr-eval package via toJSFunction() API",
    "ai_severity": "Critical",
    "ai_vendor": "silentmatt",
    "ai_product": "expr-eval",
    "ai_version": "0",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply