Description

pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on `/workspace/*` routes allows challenge authors to inject arbitrary javascript which runs on the same origin as `http[:]//dojo[.]website`. This is a sandbox escape leading to arbitrary javascript execution as the dojo's origin. A challenge author can craft a page that executes any dangerous actions that the user could. Version e33da14449a5abcff507e554f66e2141d6683b0a patches the issue.

INFO

Published Date :

2026-01-29T21:53:57.243Z

Last Modified :

2026-02-02T16:34:41.953Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25117 vulnerability.

Vendors Products
Pwncollege
  • Dojo
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25117.

URL Resource
https://github.com/pwncollege/dojo/commit/e33da14449a5abcff507e554f66e2141d6683b0a cve-icon cve-icon
https://github.com/pwncollege/dojo/security/advisories/GHSA-wvcf-9xm8-7mrg cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability