CVE-2026-7191 Arbitrary Code Execution via Sandbox Bypass in the open source solution QnABot on AWS

Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context by injecting a crafted conditional chaining expression via the Conten...

GHSA-8V27-2FG9-7H62 Withdrawn: Arbitrary Code Execution in static-eval

All versions of package static-eval are vulnerable to Arbitrary Code Execution using FunctionExpressions and TemplateLiterals. PoC: var evaluate = require'static-eval'; var parse = require'esprima'.parse; var src="function x return...

Withdrawn: Arbitrary Code Execution in static-eval

All versions of package static-eval are vulnerable to Arbitrary Code Execution using FunctionExpressions and TemplateLiterals. PoC: var evaluate = require'static-eval'; var parse = require'esprima'.parse; var src="function x return...

Arbitrary Code Execution

Amendment This was deemed not a vulnerability. Overview static-eval is an evaluates statically-analyzable expressions. Affected versions of this package are vulnerable to Arbitrary Code Execution. This vulnerability was deemed to be not an issue within the library. References - GitHub Additional...

Sandbox Breakout / Arbitrary Code Execution in static-eval

Versions of static-evalprior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. Proof of concept var evaluate = require'static-eval'; var parse = require'esprima'.parse;...

GHSA-X9HC-RW35-F44H Sandbox Breakout / Arbitrary Code Execution in static-eval

Versions of static-evalprior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. Proof of concept var evaluate = require'static-eval'; var parse = require'esprima'.parse;...

Arbitrary Code Execution

static-eval is vulnerable to arbitrary code execution. The vulnerability is possible because there is no protection by sandbox isolated process, allowing the user to input malicious code through it...

Sandbox Breakout / Arbitrary Code Execution

Overview Versions of static-evalprior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. Proof of concept var evaluate = require'static-eval'; var parse =...

Sandbox Breakout / Arbitrary Code Execution in static-eval

Affected versions of static-eval pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. Proof of concept js var evaluate = require'static-eval'; var parse = require'esprima'.parse; va...

GHSA-5MJW-6JRH-HVFQ Sandbox Breakout / Arbitrary Code Execution in static-eval

Affected versions of static-eval pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. Proof of concept js var evaluate = require'static-eval'; var parse = require'esprima'.parse; va...

CVE-2017-16226

The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution...

Code injection

The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution...

CVE-2017-16226

The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions, untrusted user input is able to access the global function constructor, effectively allowing arbitrary code execution...

CVE-2017-16226

The CVE-2017-16226 issue affects the static-eval module where untrusted input can access the global Function constructor, enabling arbitrary code execution. Exploitation details are present in multiple connected sources (e.g., npm advisory 548 and OSS/GHSA entries) showing that affected versions ...

static-eval Arbitrary Code Execution Vulnerability

static-eval is a module for evaluating statically analyzable expressions. A security vulnerability exists in static-eval. An attacker can exploit this vulnerability to execute arbitrary code by accessing the constructor of the global function...

Sandbox Breakout / Arbitrary Code Execution

Overview Affected versions of static-eval pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. Proof of concept var evaluate = require'static-eval'; var parse =...