Sandbox-Escape

Flowise versions before 2.1.4 are critically vulnerable to configuration injection (CVE-2024-58351) via the `overrideConfig` option in both its frontend web integration and backend Prediction API, which, due to a bypassable `vm2` sandbox, allows attackers to achieve remote code execution, sandbox escape, denial of service, server-side request forgery, prompt injection, and server variable/data exfiltration.

The vm2 npm package has a remote code execution vulnerability due to a patch bypass for CVE-2023-37903; the vulnerability occurs because the check for `nesting: true` and `require: false` in `nodevm.js` uses strict equality, which can be bypassed by omitting the `require` option entirely, allowing an attacker to execute arbitrary OS commands.

A sandbox escape vulnerability, CVE-2026-47210, in `vm2` allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI, bypassing Promise-species hardening and exposing a host-originated rejection object to attacker-controlled species logic.

VM2 is vulnerable to a sandbox breakout vulnerability (CVE-2026-47208) that allows attackers to execute arbitrary commands on the host system by manipulating Promise species and escaping the sandbox context.

A vulnerability in NousResearch hermes-agent up to version 2026.4.16 allows for remote exploitation of the execute_code function, leading to a sandbox escape.

Boxlite, a sandbox service, allows malicious code within a container to bypass read-only restrictions on mounted host directories using virtiofs, due to missing hypervisor-level enforcement and unrestricted kernel capabilities, leading to potential code execution on the host and supply chain risks.

A type confusion vulnerability exists in Apple Safari, as detailed in CVE-2024-23222. A public exploit demonstrates successful exploitation of the vulnerability on iOS 16.4.1, leading to a sandbox escape, which has been patched in iOS 17.3 and macOS 14.3.

Multiple vulnerabilities in vm2 allow a remote, anonymous attacker to execute arbitrary code, bypass security measures, manipulate data, and disclose sensitive information.

FlowiseAI is vulnerable to authenticated remote code execution (RCE) due to a missing route-level authorization in the `/api/v1/node-custom-function` endpoint, allowing any authenticated user to execute arbitrary JavaScript and escape the NodeVM sandbox to run system commands.

Heym before 0.0.21 is vulnerable to a sandbox escape (CVE-2026-45227) in the custom Python tool executor, allowing authenticated workflow authors to bypass restrictions and execute arbitrary host commands as the backend service user.

SandboxJS is vulnerable to a sandbox escape (CVE-2026-43898); by exploiting the `Function.caller` property, sandboxed code can access the internal `LispType.Call` runtime callback, which allows an attacker to manipulate the context and arguments of the callback, leading to the execution of arbitrary host JavaScript and a complete sandbox escape.

A vulnerability exists in the vm2 npm package (<= 3.10.5) where sandboxed code can bypass the timeout protection by calling Buffer.alloc() with an arbitrary size, leading to memory exhaustion on the host system.

OpenClaw before 2026.4.10 contains an improper network binding vulnerability (CVE-2026-43581) that exposes the Chrome DevTools Protocol (CDP) on 0.0.0.0, allowing attackers to access the DevTools protocol outside intended local sandbox boundaries.

A critical vulnerability, CVE-2026-26956, exists in vm2 version 3.10.4 when running on Node.js v25.6.1 (x64 Linux), allowing a full sandbox escape with arbitrary code execution through attacker-controlled code passed to `VM.run()`.

OpenClaw versions 2026.4.7 before 2026.4.10 fail to normalize Discord event cover image parameters in sandbox media processing, allowing attackers to bypass media normalization and inject host-local media references into channel action paths expecting normalized media.

OpenClaw versions 2026.4.5 before 2026.4.10 contain a sandbox escape vulnerability (CVE-2026-42434) that allows attackers to bypass sandbox boundaries and route execution to remote nodes by overriding exec routing.

Multiple vulnerabilities in vm2 allow attackers to execute arbitrary code, perform denial of service, disclose information, and bypass security measures.

A sandbox escape vulnerability exists in n8n's Python Task Runner that allows an authenticated user with workflow creation/modification permissions to achieve arbitrary code execution on the task runner container, impacting n8n instances with the Python Task Runner enabled; upgrade to versions 1.123.32, 2.17.4, 2.18.1 or later to remediate the vulnerability.

OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files by uploading a malicious tar archive containing symlinks, leading to arbitrary file write on the remote host.

A remote attacker who has compromised the renderer process in Google Chrome on Windows prior to version 147.0.7727.101 can potentially perform a sandbox escape via a crafted HTML page due to an uninitialized use in accessibility, as tracked by CVE-2026-6311.

Google Chrome versions prior to 147.0.7727.101 are vulnerable to an out-of-bounds write in the GPU process (CVE-2026-6314), allowing a remote attacker with GPU process compromise to potentially perform a sandbox escape via a crafted HTML page.

A use-after-free vulnerability (CVE-2026-6310) in Google Chrome's Dawn component allows a remote attacker, having compromised the renderer process, to potentially execute a sandbox escape via a specially crafted HTML page.

Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod, potentially leading to arbitrary code execution.

CVE-2026-6297 is a critical use-after-free vulnerability in the Proxy component of Google Chrome before version 147.0.7727.101, enabling a privileged network attacker to potentially achieve sandbox escape via a crafted HTML page.

A remote code execution vulnerability exists in NocoBase plugin-workflow-javascript versions up to 2.0.23 due to a sandbox escape in the createSafeConsole function, allowing unauthenticated attackers to potentially execute arbitrary code on the server.

A sandbox escape vulnerability exists in Wasmtime versions 25.0.0 to 36.0.7, 37.0.0 to 42.0.2, and version 43.0.0 when using the Winch compiler backend on aarch64 architecture, potentially allowing a Wasm guest to access host memory outside its sandbox, leading to denial of service, data leaks, or remote code execution.

A sandbox integrity escape vulnerability exists in SandboxJS versions prior to 0.8.36, allowing untrusted code to bypass global write protections and mutate host shared global objects, potentially leading to cross-context persistence and broader compromise.

A critical time-of-check time-of-use (TOCTOU) vulnerability in OpenClaw's remote file system bridge allows a sandbox escape by exploiting the delay between path validation and file reading, affecting versions up to 2026.3.28.

PraisonAI's SubprocessSandbox allows attackers to bypass command restrictions due to the use of `shell=True` in `subprocess.run()` combined with an insufficient blocklist that does not include `sh` or `bash`, enabling command execution via `sh -c '<command>'`.

OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool, allowing sandboxed subagents to access and modify session data outside their intended scope.

OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability that allows low-privilege leaf subagents to access the subagents control surface and execute commands with broader tool policies due to insufficient authorization checks, potentially leading to privilege escalation and unauthorized control of sibling processes.

A use-after-free vulnerability in the Canvas2D component of Mozilla Firefox and Thunderbird versions before 149 allows for a potential sandbox escape.

A use-after-free vulnerability in the Disability Access APIs component of Mozilla Firefox and Thunderbird (CVE-2026-4688) allows for sandbox escape, potentially leading to arbitrary code execution outside the sandbox.

CVE-2026-4687 is a sandbox escape vulnerability in Firefox and Thunderbird due to incorrect boundary conditions in the Telemetry component, potentially allowing an attacker to execute arbitrary code outside the sandbox.

A sandbox escape vulnerability, identified as CVE-2026-4690, exists in the XPCOM component of Mozilla Firefox, Firefox ESR, and Thunderbird due to incorrect boundary conditions and an integer overflow, potentially allowing an attacker to execute arbitrary code outside the sandbox.

A use-after-free vulnerability (CVE-2026-4676) in Google Chrome before 146.0.7680.165 allows a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

A vulnerability in vm2's NodeVM, when nesting is enabled, allows sandbox code to bypass require restrictions, enabling arbitrary OS command execution on the host.

A vulnerability in macOS Mojave allows sandboxed applications to bypass sandbox restrictions and surreptitiously monitor user activities by registering for distributed notifications by name, circumventing intended privacy protections.

A malicious Word document targeting macOS users employs macros to download and execute a Meterpreter payload, leveraging a sandbox escape vulnerability and launch agent plist for persistence.

A sandbox breakout vulnerability in vm2 allows attackers to execute arbitrary commands on the host system by exploiting the `neutralizeArraySpeciesBatch` method to access host objects and the Function object.

A vulnerability in Microsoft Office for Mac allows malicious code to escape the application's sandbox and achieve persistence by abusing a faulty regex for temporary files.

A sandbox escape vulnerability exists in vm2 versions 3.10.5 and earlier that allows sandboxed code to crash the host Node.js process via a Promise constructor that triggers an unhandled rejection, leading to a denial-of-service condition.

A vulnerability exists in vm2 version 3.10.5 where NodeVM's `require.root` path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context, leading to remote code execution.

Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability allowing authenticated users with System Manager role to execute arbitrary code via frame introspection and `os.popen`.

The validator-mode sandbox executor in @evomap/evolver versions 1.70.0-beta.4 and earlier places `npm` and `npx` in its executable allowlist, allowing arbitrary code execution because validator nodes consume unsigned Hub responses without signature checks, leading to remote code execution on every validator node via lifecycle scripts.

A critical RCE vulnerability in OpenLearnX allows for sandbox escape and arbitrary command execution in versions prior to 2.0.3.

A time-of-check/time-of-use (TOCTOU) race condition in OpenClaw versions 2026.4.21 and earlier allows a symlink swap to redirect filesystem writes outside the intended sandbox mount root, potentially leading to arbitrary file modification.