SandboxJS versions prior to 0.8.26 contain a critical sandbox escape vulnerability allowing remote code execution. The flaw occurs because AsyncFunction, GeneratorFunction, and AsyncGeneratorFunction constructors were not properly isolated in the sandboxing mechanism. Attackers can access the native AsyncFunction constructor through the .constructor property of async function instances, bypassing sandbox restrictions. This enables creation of functions that execute in the global scope outside the sandbox context, providing full access to the host environment. The vulnerability is patched in version 0.8.26.