{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-12866: All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-12866","status":"final","version":"1","initial_release_date":"2026-06-23T05:00:00.763Z","current_release_date":"2026-06-23T05:00:00.763Z","revision_history":[{"date":"2026-06-23T05:00:00.763Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-12866 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-12866"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-12866"},{"category":"external","summary":"security.snyk.io","url":"https://security.snyk.io/vuln/SNYK-JS-EXPREVAL-15054690"},{"category":"external","summary":"github.com","url":"https://github.com/silentmatt/expr-eval/blob/master/src/expression.js%23L55"},{"category":"external","summary":"github.com","url":"https://github.com/silentmatt/expr-eval/issues/292"}]},"product_tree":{"branches":[{"category":"vendor","name":"n/a","branches":[{"category":"product_name","name":"expr-eval","branches":[{"category":"product_version_range","name":"<*","product":{"name":"n/a expr-eval <*","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:n\\/a:expr-eval:*:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-12866","title":"All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API","notes":[{"category":"description","text":"All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1"]},"scores":[{"cvss_v4":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N","baseScore":9.2,"baseSeverity":"CRITICAL"},"products":["CSAFPID-1"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: *.","product_ids":["CSAFPID-1"]}]}]}