CVE-2026-34458

CRITICAL EPSS 16.3%
Published May 5, 20261mo ago · Modified Jun 17, 20261w ago
9.3 CVSS 4.0
Critical
Find Similar
Published May 5, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions (EditAdminOnly and ConfigPassword) and inject arbitrary directives into the global Sandboxie.ini configuration file. The background service skips authorization checks for IPC messages targeting sections beginning with UserSettings_, but does not sanitize CRLF characters in either the value parameter (via MSGID_SBIE_INI_ADD_SETTING) or the setting name parameter (via MSGID_SBIE_INI_SET_SETTING). An attacker can inject a new sandbox section header with unrestricted permissions, enabling sandbox escape and SYSTEM privilege escalation. This issue has been fixed in version 1.17.3.

CVSS Details

Base Score
9.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
16.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-93

Affected Products 1

VendorProductVersionRange
sandboxie-plussandboxie* <1.17.3

References 2

  • github.com https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3
    PatchRelease Notes
  • github.com https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-6xqg-2cjq-95qf
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3
    PatchRelease Notes