CVE-2026-12866
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk36th percentile — higher than 36% of all known CVEs
Summary
All versions of the expr-eval package are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code.
Risk Assessment
The risk involves the ability to execute arbitrary code within the application's context, potentially leading to serious security breaches.
Recommendation
It is recommended to update the expr-eval package to the latest version to mitigate this vulnerability and to review and restrict the use of the toJSFunction() API.
Original NVD description (English source)
All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are transformed directly into executable JavaScript, attackers can escape the intended expression sandbox and run arbitrary code within the application's context.

