8.8 CVE-2026-34458

Enriched by CISA Patch Exploit

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration restrictions (EditAdminOnly and ConfigPassword) and inject arbitrary directives into the global Sandboxie.ini configuration file. The background service skips authorization checks for IPC messages targeting sections beginning with UserSettings_, but does not sanitize CRLF characters in either the value parameter (via MSGID_SBIE_INI_ADD_SETTING) or the setting name parameter (via MSGID_SBIE_INI_SET_SETTING). An attacker can inject a new sandbox section header with unrestricted permissions, enabling sandbox escape and SYSTEM privilege escalation. This issue has been fixed in version 1.17.3.
https://nvd.nist.gov/vuln/detail/CVE-2026-34458

Categories

CWE-93 : Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Avoid using CRLF as a special sequence. Appropriately filter or quote CRLF sequences in user-controlled input. CRLF injection enables spam proxy (add mail headers) using email address or name. CRLF injection in API function arguments modify headers for outgoing requests. Spoofed entries in web server log file via carriage returns Chain: inject fake log entries with fake timestamps using CRLF injection Chain: Application accepts CRLF in an object ID, allowing HTTP response splitting. Chain: HTTP response splitting via CRLF in parameter related to URL.

References

134c704f-9b21-4f2e-91b3-4a467353bcc0 Exploit

https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-6xqg-2cj... Exploit Vendor Advisory

security-advisories@github.com Patch Exploit

https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3 Patch Release Notes
https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-6xqg-2cj... Exploit Vendor Advisory

AFFECTED (from MITRE)

Vendor	Product	Versions
sandboxie-plus	Sandboxie	< 1.17.3 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:sandboxie-plus:sandboxie:::::plus:::*		< 1.17.3

REMEDIATION

Patch

Url
https://github.com/sandboxie-plus/Sandboxie/releases/tag/v1.17.3

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-6xqg-2cj...
https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-6xqg-2cj...

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
15	Command Delimiters An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on. [Assess Target Runtime Environment] In situations where the runtime environment is not implicitly known, the attacker makes connections to the target system and tries to determine the system's runtime environment. Knowing the environment is vital to choosing the correct delimiters. [Survey the Application] The attacker surveys the target application, possibly as a valid and authenticated user [Attempt delimiters in inputs] The attacker systematically attempts variations of delimiters on known inputs, observing the application's response each time. [Use malicious command delimiters] The attacker uses combinations of payload and carefully placed command delimiters to attack the software.	High
81	Web Server Logs Tampering Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application. [Determine Application Web Server Log File Format] The attacker observes the system and looks for indicators of which logging utility is being used by the web server. [Determine Injectable Content] The attacker launches various logged actions with malicious data to determine what sort of log injection is possible. [Manipulate Log Files] The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.	High

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee