CVE Catalog

CVE-2026-12866

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.45%

36th percentile — higher than 36% of all known CVEs

Summary

All versions of the expr-eval package are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code.

Risk Assessment

The risk involves the ability to execute arbitrary code within the application's context, potentially leading to serious security breaches.

Recommendation

It is recommended to update the expr-eval package to the latest version to mitigate this vulnerability and to review and restrict the use of the toJSFunction() API.

Original NVD description (English source)

All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS