CVE-2026-34458

Published: Mag 05, 2026 Last Modified: Mag 05, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,3

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions (EditAdminOnly and ConfigPassword) and inject arbitrary directives into the global Sandboxie.ini configuration file. The background service skips authorization checks for IPC messages targeting sections beginning with UserSettings_, but does not sanitize CRLF characters in either the value parameter (via MSGID_SBIE_INI_ADD_SETTING) or the setting name parameter (via MSGID_SBIE_INI_SET_SETTING). An attacker can inject a new sandbox section header with unrestricted permissions, enabling sandbox escape and SYSTEM privilege escalation. This issue has been fixed in version 1.17.3.

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity

Potential Impacts:

Modify Application Data

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1…

https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3

https://github.com/sandboxie-plus/Sandboxie/security/adviso…

https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-6xqg-2cjq-…

CVE-2026-34458

Description

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Common Consequences

Applicable Platforms

Iscriviti alla newsletter