Description
pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on `/workspace/*` routes allows challenge authors to inject arbitrary javascript which runs on the same origin as `http[:]//dojo[.]website`. This is a sandbox escape leading to arbitrary javascript execution as the dojo's origin. A challenge author can craft a page that executes any dangerous actions that the user could. Version e33da14449a5abcff507e554f66e2141d6683b0a patches the issue.
Published: 2026-01-29
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: arbitrary JavaScript execution in the dojo's origin
Action: Patch Now
AI Analysis

Impact

The vulnerability stems from missing sandboxing on the /workspace/* routes in the pwn.college Dojo platform. A challenge author can inject arbitrary JavaScript that executes with the same origin as dojo.website. This enables the execution of any actions the user can perform, potentially exposing sensitive data or modifying site state. The flaw falls under CWE‑20 and CWE‑79.

Affected Systems

All releases of pwncollege:dojo prior to commit e33da14449a5abcff507e554f66e2141d6683b0a are affected. The commit introduces proper sandboxing that mitigates the flaw.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity, while the EPSS score of less than 1% suggests a low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely limited to challenge authors who can craft malicious challenges; once a challenge is loaded, any user visiting the page may suffer arbitrary JavaScript execution. The exploit is straightforward once the malicious challenge is deployed, but requires the author role or permission to inject content into /workspace/*.

Generated by OpenCVE AI on April 18, 2026 at 01:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Dojo platform to commit e33da14449a5abcff507e554f66e2141d6683b0a or later
  • Verify that sandboxing is enforced for all /workspace/* routes
  • Restrict challenge author permissions to prevent injection of malicious content

Generated by OpenCVE AI on April 18, 2026 at 01:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Pwncollege
Pwncollege dojo
Vendors & Products Pwncollege
Pwncollege dojo

Thu, 29 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
Description pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on `/workspace/*` routes allows challenge authors to inject arbitrary javascript which runs on the same origin as `http[:]//dojo[.]website`. This is a sandbox escape leading to arbitrary javascript execution as the dojo's origin. A challenge author can craft a page that executes any dangerous actions that the user could. Version e33da14449a5abcff507e554f66e2141d6683b0a patches the issue.
Title pwn.college DOJO vulnerable to sandbox escape leading to arbitrary javascript execution
Weaknesses CWE-20
CWE-79
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Pwncollege Dojo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-02T16:34:41.953Z

Reserved: 2026-01-29T14:03:42.539Z

Link: CVE-2026-25117

cve-icon Vulnrichment

Updated: 2026-01-30T14:42:46.311Z

cve-icon NVD

Status : Deferred

Published: 2026-01-29T22:15:56.270

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25117

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:30:16Z

Weaknesses