CVE-2026-12866
All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScr
CVSS
9.8
Critical
EPSS
0.5%
p38
KEV
—
Exploit Today
11
0-100
Published: Jun 23, 2026 · Last modified: Jul 7, 2026 · CWE-94
0.5%EPSS · 30 days0.5%
2026-06-302026-07-17
All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.
- github.comhttps://github.com/silentmatt/expr-eval/blob/master/src/expression.js%23L55
- github.comhttps://github.com/silentmatt/expr-eval/issues/292
- security.snyk.iohttps://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-17662018
- security.snyk.iohttps://security.snyk.io/vuln/SNYK-JS-EXPREVAL-15054690
- security.snyk.iohttps://security.snyk.io/vuln/SNYK-JS-EXPREVAL-15054690
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-32489.8 CRI100.0%
KEV—80Langflow Missing Authentication Vulnerability4dCVE-2026-341978.8 HIG99.9%
KEV—80Apache ActiveMQ Improper Input Validation Vulnerability4dCVE-2026-154107.2 HIG71.1%
KEV—71SonicWall SMA1000 Appliances Code Injection Vulnerability2dCVE-2025-670389.8 CRI55.3%
KEV—67Lantronix EDS5000 Code Injection Vulnerability12dCVE-2021-416539.8 CRI99.5%
——30The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.10dCVE-2023-362558.8 HIG99.0%
——30An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL.10d