Improper Control of Generation of Code ('Code Injection')

CVE-2026-43898

Low

0/10

Summary

Sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That callback can then be invoked with attacker-controlled fake context and obj values to extract blocked host statics, recover the real host Function constructor, and execute arbitrary host JavaScript. The affected versions are prior to 0.9.6.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-94 - Code Injection

Code injection is a type of vulnerability that allows an attacker to execute arbitrary code. This vulnerability fully compromises the machine and can cause a wide variety of security issues, such as unauthorized access to sensitive information, manipulation of data, denial of service attacks etc. Code injection is different from command injection in the fact that it is limited by the functionality of the injected language (e.g. PHP), as opposed to command injection, which leverages existing code to execute commands, usually within the context of a shell.

References

Advisory

Advisory Timeline

Published May 28, 2026

Improper Control of Generation of Code ('Code Injection')

CVE-2026-43898

Summary

CWE-94 - Code Injection

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS