{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sandbox-escape/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["n8n"],"_cs_severities":["high"],"_cs_tags":["sandbox-escape","code-execution","vulnerability"],"_cs_type":"advisory","_cs_vendors":["n8n"],"content_html":"\u003cp\u003eA sandbox escape vulnerability has been identified in the Python Task Runner of n8n, a workflow automation platform. This vulnerability, assigned CVE-2026-42234, allows an authenticated user who has permissions to create or modify workflows that contain a Python Code Node to escape the sandbox environment. Successful exploitation leads to arbitrary code execution within the task runner container. This issue specifically impacts n8n instances where the Python Task Runner is enabled. The vulnerability affects n8n versions prior to 1.123.32, versions between 2.17.0 and 2.17.4, and versions between 2.18.0 and 2.18.1. Defenders should prioritize patching their n8n instances or implementing available workarounds.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to an n8n instance.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the Python Task Runner is enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies an n8n workflow.\u003c/li\u003e\n\u003cli\u003eThe workflow includes a Python Code Node.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious Python code designed to escape the sandbox. This code could leverage vulnerabilities in the sandbox implementation to execute commands outside of the intended restricted environment.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the workflow execution.\u003c/li\u003e\n\u003cli\u003eThe malicious Python code executes, successfully escaping the sandbox.\u003c/li\u003e\n\u003cli\u003eArbitrary code is executed on the task runner container, potentially leading to compromise of the n8n instance or the underlying infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code within the n8n task runner container. This can lead to a full compromise of the n8n instance, allowing the attacker to steal sensitive data, disrupt services, or pivot to other systems within the network. While the exact number of affected instances is unknown, any n8n deployment with the Python Task Runner enabled and vulnerable versions are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade n8n to versions 1.123.32, 2.17.4, 2.18.1 or later to remediate the vulnerability as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately possible, limit workflow creation and editing permissions to fully trusted users only, as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eAs a temporary measure, disable the Python Code node by adding \u003ccode\u003en8n-nodes-base.code\u003c/code\u003e to the \u003ccode\u003eNODES_EXCLUDE\u003c/code\u003e environment variable, or disable the Python Task Runner entirely as documented in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor container execution for unexpected processes spawned from the n8n task runner container using the \u0026ldquo;Detect Suspicious Process Execution from n8n Task Runner\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T21:21:50Z","date_published":"2026-04-29T21:21:50Z","id":"/briefs/2026-04-n8n-python-sandbox-escape/","summary":"A sandbox escape vulnerability exists in n8n's Python Task Runner that allows an authenticated user with workflow creation/modification permissions to achieve arbitrary code execution on the task runner container, impacting n8n instances with the Python Task Runner enabled; upgrade to versions 1.123.32, 2.17.4, 2.18.1 or later to remediate the vulnerability.","title":"n8n Python Task Runner Sandbox Escape Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-n8n-python-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-41364"}],"_cs_exploited":false,"_cs_products":["OpenClaw"],"_cs_severities":["high"],"_cs_tags":["symlink","file-write","sandbox-escape"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw versions before 2026.3.31 are vulnerable to a symlink following issue within the SSH sandbox tar upload functionality. This vulnerability, identified as CVE-2026-41364, allows a remote attacker with the ability to upload tar archives to the OpenClaw instance to potentially escape the intended sandbox environment. By crafting a malicious tar archive containing carefully constructed symbolic links, an attacker can overwrite arbitrary files on the remote host, leading to a compromise of the system\u0026rsquo;s integrity. This vulnerability was reported and patched in version 2026.3.31. Defenders need to ensure they are running patched versions to mitigate the risk of exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the OpenClaw instance via SSH, gaining access to the restricted sandbox environment.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious tar archive containing symbolic links pointing outside the intended sandbox directory. These symlinks are designed to target specific files or directories on the host system that the attacker wishes to overwrite.\u003c/li\u003e\n\u003cli\u003eAttacker uploads the malicious tar archive to the OpenClaw instance using the SSH sandbox tar upload functionality.\u003c/li\u003e\n\u003cli\u003eOpenClaw extracts the contents of the uploaded tar archive without properly validating or restricting the target paths of the symbolic links.\u003c/li\u003e\n\u003cli\u003eDuring extraction, the symbolic links are followed, causing files to be written outside the intended sandbox directory.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites arbitrary files on the remote host with attacker-controlled content.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution or persistence by overwriting critical system files or configuration files.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by modifying binaries used by privileged users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker with low privileges to write arbitrary files on the OpenClaw server. This can lead to a variety of impacts, including arbitrary code execution, privilege escalation, and denial of service. An attacker could potentially gain complete control over the OpenClaw server by overwriting critical system files. Given the potential for complete system compromise, this vulnerability poses a significant risk to organizations using affected versions of OpenClaw.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch CVE-2026-41364.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Tar Archive Upload with Symlinks\u0026rdquo; to detect attempts to upload malicious tar archives containing symbolic links.\u003c/li\u003e\n\u003cli\u003eMonitor SSH logs for suspicious activity related to tar archive uploads to the OpenClaw instance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T00:16:25Z","date_published":"2026-04-28T00:16:25Z","id":"/briefs/2026-04-openclaw-symlink/","summary":"OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files by uploading a malicious tar archive containing symlinks, leading to arbitrary file write on the remote host.","title":"OpenClaw Symlink Vulnerability in SSH Sandbox Tar Upload (CVE-2026-41364)","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-symlink/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-6311"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6311","chrome","sandbox-escape","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6311 describes a high-severity vulnerability affecting Google Chrome on Windows. Specifically, an uninitialized use in the Accessibility component exists in versions prior to 147.0.7727.101. This flaw allows a remote attacker, who has already compromised the renderer process, to potentially escape the browser\u0026rsquo;s sandbox environment. The attacker exploits this vulnerability by crafting a malicious HTML page. Successful exploitation allows the attacker to execute code outside of the Chrome sandbox, potentially leading to arbitrary code execution on the underlying system. This vulnerability was patched in Chrome version 147.0.7727.101, released in April 2026. The Chromium project assigned a security severity of High to this issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTML page designed to trigger the uninitialized use vulnerability in the Accessibility component.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious HTML page through a phishing link or drive-by download.\u003c/li\u003e\n\u003cli\u003eThe HTML page is rendered by Google Chrome, which triggers the vulnerability in the Accessibility component.\u003c/li\u003e\n\u003cli\u003eDue to the uninitialized memory, the attacker gains control of a pointer or other sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this control to read from or write to arbitrary memory locations within the renderer process.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the memory of the renderer process to bypass sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to execute arbitrary code outside of the Chrome sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform actions such as installing malware, stealing sensitive data, or pivoting to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6311 allows an attacker to escape the Google Chrome sandbox on Windows systems. This can lead to arbitrary code execution on the victim\u0026rsquo;s machine, potentially leading to data theft, malware installation, or further compromise of the network. Given Chrome\u0026rsquo;s widespread use, this vulnerability poses a significant risk to a large number of users. While the exact number of victims is unknown, the potential impact is high due to the ability to bypass the browser\u0026rsquo;s security measures.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6311 (reference: Overview).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unexpected processes spawned by Chrome renderer processes, as a sign of successful sandbox escape (reference: Attack Chain step 8 and the \u0026ldquo;Detect Chrome Sandbox Escape via Child Process\u0026rdquo; Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement web filtering to block access to known malicious websites that may host exploit code targeting this vulnerability (reference: Attack Chain step 2).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-chrome-sandbox-escape/","summary":"A remote attacker who has compromised the renderer process in Google Chrome on Windows prior to version 147.0.7727.101 can potentially perform a sandbox escape via a crafted HTML page due to an uninitialized use in accessibility, as tracked by CVE-2026-6311.","title":"Google Chrome Sandbox Escape via Uninitialized Use in Accessibility (CVE-2026-6311)","url":"https://feed.craftedsignal.io/briefs/2026-04-chrome-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-6314"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["chrome","gpu","oob-write","sandbox-escape"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6314 is a security vulnerability affecting Google Chrome versions prior to 147.0.7727.101. The vulnerability resides within the GPU process and is classified as an out-of-bounds write. Successful exploitation could allow a remote attacker who has already compromised the GPU process to perform a sandbox escape, potentially gaining broader system access. The vulnerability can be triggered by a crafted HTML page. The Chromium security team has rated this vulnerability as High severity. This vulnerability was patched in the 147.0.7727.101 release.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTML page designed to trigger the out-of-bounds write in the GPU process.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious HTML page using a vulnerable version of Google Chrome.\u003c/li\u003e\n\u003cli\u003eThe HTML page leverages JavaScript to initiate a GPU-related operation that triggers the vulnerable code path.\u003c/li\u003e\n\u003cli\u003eThe GPU process attempts to write data outside of the intended memory buffer due to a flaw in the code.\u003c/li\u003e\n\u003cli\u003eThis out-of-bounds write corrupts memory within the GPU process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to overwrite critical data structures or code within the GPU process.\u003c/li\u003e\n\u003cli\u003eBy manipulating the GPU process\u0026rsquo;s memory, the attacker attempts to escape the Chrome sandbox.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains the ability to execute arbitrary code outside the sandbox, potentially compromising the user\u0026rsquo;s system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6314 allows an attacker to escape the Chrome sandbox. This allows the attacker to potentially execute arbitrary code on the victim\u0026rsquo;s machine. While the exact number of victims is unknown, all users of Google Chrome versions prior to 147.0.7727.101 are potentially vulnerable. A successful sandbox escape could lead to data theft, malware installation, or other malicious activities, depending on the privileges of the compromised user.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6314.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Chrome GPU Process Crash\u003c/code\u003e to identify potential exploitation attempts based on abnormal process termination.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to suspicious HTML pages (cs-uri-query, cs-uri-stem) that could be used to deliver the exploit.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-chrome-gpu-oob-write/","summary":"Google Chrome versions prior to 147.0.7727.101 are vulnerable to an out-of-bounds write in the GPU process (CVE-2026-6314), allowing a remote attacker with GPU process compromise to potentially perform a sandbox escape via a crafted HTML page.","title":"Google Chrome GPU Out-of-Bounds Write Vulnerability (CVE-2026-6314)","url":"https://feed.craftedsignal.io/briefs/2026-04-chrome-gpu-oob-write/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-6310"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6310","use-after-free","sandbox escape","google chrome"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6310 is a high-severity vulnerability affecting Google Chrome versions prior to 147.0.7727.101. The vulnerability lies within the Dawn component, a library used for interacting with the WebGPU API. An attacker who has already compromised the Chrome renderer process can exploit this use-after-free vulnerability to potentially escape the Chrome sandbox. Successful exploitation requires the attacker to craft a malicious HTML page that triggers the vulnerability in Dawn, enabling them to execute arbitrary code outside the confines of the renderer process and potentially gain control of the user\u0026rsquo;s system. This poses a significant risk to users browsing untrusted websites.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTML page specifically designed to trigger the use-after-free vulnerability in the Dawn component of Google Chrome.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious HTML page via a compromised website, a phishing link, or other social engineering techniques.\u003c/li\u003e\n\u003cli\u003eThe HTML page leverages the WebGPU API to interact with the Dawn component.\u003c/li\u003e\n\u003cli\u003eThe malicious code manipulates memory in a way that leads to a use-after-free condition within Dawn.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the use-after-free vulnerability to overwrite memory and gain control of program execution.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised renderer process to attempt a sandbox escape.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker can execute arbitrary code outside the Chrome sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker can then install malware, steal sensitive data, or perform other malicious actions on the victim\u0026rsquo;s system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6310 allows an attacker to escape the Chrome sandbox, a security mechanism designed to isolate web content from the rest of the system. This could lead to arbitrary code execution on the victim\u0026rsquo;s machine, potentially allowing the attacker to install malware, steal sensitive information, or perform other malicious activities. Given Chrome\u0026rsquo;s widespread use, a successful exploit could impact a large number of users across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6310.\u003c/li\u003e\n\u003cli\u003eImplement a network detection rule to identify potentially malicious HTML pages that exploit WebGPU and trigger the use-after-free condition.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for unusual processes spawned by chrome.exe after the renderer process is compromised, as this may indicate a sandbox escape.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-chrome-dawn-uaf/","summary":"A use-after-free vulnerability (CVE-2026-6310) in Google Chrome's Dawn component allows a remote attacker, having compromised the renderer process, to potentially execute a sandbox escape via a specially crafted HTML page.","title":"Google Chrome Dawn Use-After-Free Vulnerability (CVE-2026-6310)","url":"https://feed.craftedsignal.io/briefs/2026-04-chrome-dawn-uaf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.3,"id":"CVE-2026-40959"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sandbox-escape","luanti","luajit","cve-2026-40959"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-40959 describes a critical vulnerability in Luanti 5, specifically in versions prior to 5.15.2, when used with LuaJIT. The vulnerability allows a malicious actor to escape the Lua sandbox environment by exploiting a crafted \u0026ldquo;mod.\u0026rdquo; This escape could lead to unauthorized access and control over the system, potentially allowing for arbitrary code execution outside of the intended sandbox. The vulnerability was reported to MITRE and assigned a CVSS v3.1 score of 9.3, indicating a critical severity. This vulnerability poses a significant threat to systems relying on Luanti for sandboxed Lua execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious Lua \u0026ldquo;mod\u0026rdquo; specifically designed to exploit the sandbox escape vulnerability in Luanti.\u003c/li\u003e\n\u003cli\u003eThe malicious mod leverages weaknesses in the LuaJIT implementation within Luanti to bypass sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe crafted mod is loaded into a vulnerable Luanti 5 instance.\u003c/li\u003e\n\u003cli\u003eUpon execution of the malicious mod, the attacker gains the ability to execute arbitrary Lua code outside the intended sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker can then utilize this escaped context to interact with the underlying operating system.\u003c/li\u003e\n\u003cli\u003eUsing OS-level access, the attacker escalates privileges further.\u003c/li\u003e\n\u003cli\u003eThe attacker installs persistent backdoors or other malicious software.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker achieves complete system compromise, exfiltrates sensitive data, or causes other damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40959 could lead to a complete compromise of systems utilizing vulnerable versions of Luanti 5 with LuaJIT. An attacker could gain unauthorized access to sensitive data, install malware, or disrupt critical services. Given the critical CVSS score of 9.3, the potential impact is high, especially in environments where Luanti is used to sandbox untrusted Lua code. The number of potential victims depends on the adoption rate of Luanti 5 and the prevalence of LuaJIT usage within those installations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Luanti to version 5.15.2 or later to patch CVE-2026-40959.\u003c/li\u003e\n\u003cli\u003eMonitor for the loading of unsigned or untrusted Lua mods within Luanti environments (see process_creation rule below).\u003c/li\u003e\n\u003cli\u003eInspect Lua mods for suspicious code patterns indicative of sandbox escape attempts (develop custom rules based on the specific LuaJIT weaknesses exploited).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T01:16:11Z","date_published":"2026-04-16T01:16:11Z","id":"/briefs/2026-04-luanti-sandbox-escape/","summary":"Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod, potentially leading to arbitrary code execution.","title":"Luanti LuaJIT Sandbox Escape (CVE-2026-40959)","url":"https://feed.craftedsignal.io/briefs/2026-04-luanti-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-6297"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","use-after-free","chrome","sandbox escape"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6297 is a critical security flaw affecting Google Chrome users. The vulnerability, a use-after-free issue within the Proxy component, exists in versions prior to 147.0.7727.101. Successfully exploiting this vulnerability would allow an attacker positioned in a privileged network location to potentially break out of Chrome\u0026rsquo;s sandbox. The attack vector involves a specially crafted HTML page delivered to the victim. This is a critical vulnerability because a successful exploit could lead to arbitrary code execution within the context of the user running Chrome, potentially leading to data theft, system compromise, or further lateral movement within a network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains a privileged network position, such as through ARP poisoning or DNS spoofing.\u003c/li\u003e\n\u003cli\u003eThe victim user browses to a website or is redirected to a website controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious HTML page into the victim\u0026rsquo;s browser session.\u003c/li\u003e\n\u003cli\u003eThe malicious HTML page leverages JavaScript to trigger the use-after-free vulnerability in Chrome\u0026rsquo;s Proxy component.\u003c/li\u003e\n\u003cli\u003eThe use-after-free condition allows the attacker to corrupt memory within the Chrome process.\u003c/li\u003e\n\u003cli\u003eBy carefully crafting the memory corruption, the attacker gains control of program execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code within the Chrome sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial code execution within the sandbox to attempt a sandbox escape and gain access to the underlying operating system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6297 allows an attacker in a privileged network position to perform a sandbox escape. This can lead to arbitrary code execution on the user\u0026rsquo;s machine, potentially compromising sensitive data, allowing for further exploitation of the system, and enabling lateral movement within the network. Due to the widespread use of Chrome, this vulnerability has the potential to affect a large number of users across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6297.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Chrome Sandbox Escape via Crafted HTML\u0026rdquo; to identify potential exploitation attempts within your environment.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for signs of ARP poisoning or DNS spoofing, which are common prerequisites for exploiting vulnerabilities like CVE-2026-6297.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T20:16:38Z","date_published":"2026-04-15T20:16:38Z","id":"/briefs/2026-04-chrome-use-after-free/","summary":"CVE-2026-6297 is a critical use-after-free vulnerability in the Proxy component of Google Chrome before version 147.0.7727.101, enabling a privileged network attacker to potentially achieve sandbox escape via a crafted HTML page.","title":"Google Chrome Proxy Use-After-Free Vulnerability (CVE-2026-6297)","url":"https://feed.craftedsignal.io/briefs/2026-04-chrome-use-after-free/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6224"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["nocobase","rce","sandbox-escape","cve-2026-6224"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA critical security flaw, identified as CVE-2026-6224, affects NocoBase plugin-workflow-javascript versions up to 2.0.23. This vulnerability resides in the \u003ccode\u003ecreateSafeConsole\u003c/code\u003e function within the \u003ccode\u003epackages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js\u003c/code\u003e file. By manipulating this function, an attacker can escape the intended sandbox environment. Publicly available exploits exist, increasing the risk of active exploitation. This vulnerability allows for remote, unauthenticated exploitation, making it a significant threat to systems running the affected NocoBase plugin. The vendor has not responded to vulnerability disclosure attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a malicious request to the NocoBase server targeting the \u003ccode\u003eplugin-workflow-javascript\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eThe request is processed by the vulnerable \u003ccode\u003ecreateSafeConsole\u003c/code\u003e function within \u003ccode\u003eVm.js\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the identified manipulation technique to bypass the intended sandbox restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the underlying server environment.\u003c/li\u003e\n\u003cli\u003eThe attacker injects and executes arbitrary JavaScript code within the server context.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain further control of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through creating new user accounts or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the server, leading to potential data theft, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6224 can lead to complete compromise of the NocoBase server. An attacker can gain unauthorized access to sensitive data, modify system configurations, install malware, or disrupt normal operations. Given the nature of NocoBase as a data management platform, the impact could include widespread data breaches and significant reputational damage. Because exploits are publicly available, organizations using vulnerable versions of the plugin are at immediate risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NocoBase plugin-workflow-javascript to a patched version beyond 2.0.23 to remediate CVE-2026-6224.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Suspicious NocoBase Workflow JavaScript Activity\u003c/code\u003e to identify potential exploitation attempts targeting the \u003ccode\u003ecreateSafeConsole\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js\u003c/code\u003e path.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization measures to prevent malicious code injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T12:00:00Z","date_published":"2026-04-14T12:00:00Z","id":"/briefs/2026-04-nocobase-rce/","summary":"A remote code execution vulnerability exists in NocoBase plugin-workflow-javascript versions up to 2.0.23 due to a sandbox escape in the createSafeConsole function, allowing unauthenticated attackers to potentially execute arbitrary code on the server.","title":"NocoBase plugin-workflow-javascript Sandbox Escape Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-nocobase-rce/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-34987"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wasmtime","sandbox-escape","memory-corruption","aarch64"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eWasmtime, a WebAssembly runtime, is vulnerable to a sandbox escape issue when using the Winch compiler backend on aarch64 architecture. This vulnerability, affecting versions 25.0.0 through 36.0.7, 37.0.0 through 42.0.2, and 43.0.0, stems from improper handling of memory offsets within the Winch compiler. The Winch compiler is not the default, requiring the \u003ccode\u003e-Ccompiler=winch\u003c/code\u003e flag to activate it. A malicious or compromised Wasm guest could exploit this flaw to access host memory outside of its designated linear memory region. Successful exploitation could lead to denial of service, sensitive data leaks from the host process, or, with write access, potentially arbitrary remote code execution on the host system. Defenders should prioritize patching or switching to the Cranelift compiler backend to mitigate this critical vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious WebAssembly module specifically designed to exploit the memory offset vulnerability in the Winch compiler.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys the malicious Wasm module to a system running a vulnerable version of Wasmtime using the Winch compiler backend (\u003ccode\u003e-Ccompiler=winch\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable Wasmtime instance loads and compiles the malicious Wasm module using the Winch compiler.\u003c/li\u003e\n\u003cli\u003eDue to the flawed memory offset calculation within Winch, the Wasm module is able to access memory addresses outside of its allocated linear memory region.\u003c/li\u003e\n\u003cli\u003eThe Wasm module reads sensitive data from the host process\u0026rsquo;s memory space, such as configuration files, API keys, or other confidential information.\u003c/li\u003e\n\u003cli\u003eAlternatively, the Wasm module attempts to write arbitrary data to the host process\u0026rsquo;s memory space, potentially overwriting critical system data or injecting malicious code.\u003c/li\u003e\n\u003cli\u003eSuccessful memory corruption leads to a denial-of-service condition, a data leak, or potentially arbitrary code execution within the context of the host process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised host process to further compromise the system or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a malicious Wasm guest to escape its sandbox and access the host system\u0026rsquo;s memory. This can result in a denial of service, where the host process crashes due to memory corruption. More critically, it can lead to the exfiltration of sensitive data from the host process, potentially exposing confidential information. In the worst-case scenario, the attacker could achieve arbitrary code execution on the host system, leading to a complete system compromise. The number of potential victims is dependent on the adoption rate of Wasmtime with the Winch compiler enabled in production environments, but given the severity of the potential impact, any vulnerable instance represents a significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Wasmtime version 43.0.1, 42.0.2, or 36.0.7 to patch CVE-2026-34987.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, switch to the Cranelift compiler backend by removing the \u003ccode\u003e-Ccompiler=winch\u003c/code\u003e flag from the Wasmtime execution command.\u003c/li\u003e\n\u003cli\u003eMonitor Wasmtime deployments for unexpected crashes or memory access violations that may indicate exploitation attempts. While no specific IOCs are provided, unusual process behavior from Wasmtime should be investigated.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-wasmtime-sandbox-escape/","summary":"A sandbox escape vulnerability exists in Wasmtime versions 25.0.0 to 36.0.7, 37.0.0 to 42.0.2, and version 43.0.0 when using the Winch compiler backend on aarch64 architecture, potentially allowing a Wasm guest to access host memory outside its sandbox, leading to denial of service, data leaks, or remote code execution.","title":"Wasmtime Winch Compiler Aarch64 Sandbox Escape Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-wasmtime-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sandbox-escape","javascript","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability exists in SandboxJS versions prior to 0.8.36, a JavaScript sandbox library. This vulnerability allows malicious or untrusted JavaScript code executed within the sandbox to escape the sandbox and modify global objects in the host environment. The bypass is achieved through an exposed callable constructor path: \u003ccode\u003ethis.constructor.call(target, attackerObject)\u003c/code\u003e, allowing attackers to circumvent intended protections against direct assignment to global objects. This can lead to persistent modifications of host runtime state and cross-context contamination. Successful exploitation could allow attackers to compromise other requests, tenants, or subsequent sandbox runs within the same process, potentially leading to control-flow hijack in application logic that assumes trusted built-in behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker injects JavaScript code into the SandboxJS environment.\u003c/li\u003e\n\u003cli\u003eThe injected code gains access to the \u003ccode\u003eSandboxGlobal\u003c/code\u003e constructor via \u003ccode\u003ethis.constructor\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages \u003ccode\u003eFunction.prototype.call\u003c/code\u003e to invoke the \u003ccode\u003eSandboxGlobal\u003c/code\u003e constructor with a target global object (e.g., \u003ccode\u003eMath\u003c/code\u003e, \u003ccode\u003eJSON\u003c/code\u003e) and a payload object containing properties to overwrite.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSandboxGlobal\u003c/code\u003e constructor copies properties from the attacker-controlled payload object into the specified global object in the host environment, bypassing the intended write-time checks.\u003c/li\u003e\n\u003cli\u003eThe host environment\u0026rsquo;s global object is modified with attacker-supplied values.\u003c/li\u003e\n\u003cli\u003eSubsequent executions of SandboxJS instances within the same process now operate with the tainted global object.\u003c/li\u003e\n\u003cli\u003eIf the host application relies on the integrity of the mutated global objects, attacker can hijack control flow.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution in the host environment due to the modified global state.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows untrusted code to escape the SandboxJS sandbox and directly manipulate the host environment\u0026rsquo;s global objects. This can lead to a variety of impacts, including persistent cross-context contamination, where new sandbox instances are initialized with a tainted state. The modification of critical global objects can lead to unpredictable behavior and, in certain scenarios, enable complete control-flow hijack of the host application. The severity of the impact is considered critical due to the potential for widespread and persistent compromise. Affected versions: npm/@nyariv/sandboxjs (vulnerable: \u0026lt; 0.8.36).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to SandboxJS version 0.8.36 or later to patch the vulnerability (Affected Packages).\u003c/li\u003e\n\u003cli\u003eImplement monitoring for unexpected modifications to global objects within the host environment where SandboxJS is deployed (see rule \u0026ldquo;Detect SandboxJS Global Object Mutation via Constructor Call\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eConsider implementing additional layers of defense, such as restricting the capabilities of the host environment where SandboxJS is running, to minimize the impact of a successful sandbox escape (see rule \u0026ldquo;Detect SandboxJS Constructor Call to Global Objects\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eReview host application code that relies on global objects and consider implementing validation checks to ensure their integrity (see CVE-2026-34208).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T21:44:39Z","date_published":"2026-04-03T21:44:39Z","id":"/briefs/2026-04-sandboxjs-escape/","summary":"A sandbox integrity escape vulnerability exists in SandboxJS versions prior to 0.8.36, allowing untrusted code to bypass global write protections and mutate host shared global objects, potentially leading to cross-context persistence and broader compromise.","title":"SandboxJS Integrity Escape Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-sandboxjs-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["openclaw","sandbox-escape","toctou"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenClaw versions up to and including 2026.3.28 contain a critical vulnerability related to how they handle remote file system operations within a sandboxed environment. Specifically, the \u003ccode\u003ereadFile\u003c/code\u003e function in the remote file system bridge is susceptible to a Time-of-Check Time-of-Use (TOCTOU) race condition. This means that the application verifies the path of a file before reading it, but an attacker can potentially modify the file path in between the check and the read operation. The vulnerability was reported by AntAISecurityLab and patched in version 2026.3.31. Successful exploitation allows attackers to escape the sandbox, potentially leading to arbitrary code execution on the host system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a request to the OpenClaw application, specifying a file path within the allowed sandbox.\u003c/li\u003e\n\u003cli\u003eOpenClaw\u0026rsquo;s \u003ccode\u003ereadFile\u003c/code\u003e function receives the request and validates that the requested path is within the allowed sandbox.\u003c/li\u003e\n\u003cli\u003eAfter the path is validated, but before the file is read, the attacker leverages a race condition to modify the file path. This could be achieved by symlink replacement or other file system manipulation techniques.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ereadFile\u003c/code\u003e function now attempts to read the file from the modified path, which could point to a location outside the intended sandbox.\u003c/li\u003e\n\u003cli\u003eThe file from the attacker-controlled path is read, bypassing the initial security check.\u003c/li\u003e\n\u003cli\u003eOpenClaw processes the content of the file, potentially executing malicious code or leaking sensitive information, depending on the file\u0026rsquo;s contents and the application\u0026rsquo;s handling of it.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully escapes the sandbox, gaining unauthorized access to the host system\u0026rsquo;s resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this TOCTOU vulnerability allows an attacker to bypass the intended security restrictions of the OpenClaw sandbox. This can lead to arbitrary code execution on the host system, potentially allowing the attacker to install malware, steal sensitive data, or pivot to other systems on the network. While the specific number of affected installations is unknown, all deployments of OpenClaw versions 2026.3.28 or earlier are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.3.31 or later to patch the vulnerability as indicated in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect attempts to exploit this TOCTOU vulnerability by monitoring file access patterns.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on critical system files to detect unauthorized modifications that could indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T03:15:00Z","date_published":"2026-04-03T03:15:00Z","id":"/briefs/2026-04-openclaw-sandbox-escape/","summary":"A critical time-of-check time-of-use (TOCTOU) vulnerability in OpenClaw's remote file system bridge allows a sandbox escape by exploiting the delay between path validation and file reading, affecting versions up to 2026.3.28.","title":"OpenClaw TOCTOU Race Condition Leads to Sandbox Escape","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sandbox-escape","command-injection","praisonai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI\u0026rsquo;s \u003ccode\u003eSubprocessSandbox\u003c/code\u003e, even in STRICT mode, is vulnerable to a sandbox escape. The vulnerability arises from the use of \u003ccode\u003esubprocess.run()\u003c/code\u003e with \u003ccode\u003eshell=True\u003c/code\u003e in \u003ccode\u003esandbox_executor.py\u003c/code\u003e, coupled with an insufficient blocklist that fails to include \u003ccode\u003esh\u003c/code\u003e and \u003ccode\u003ebash\u003c/code\u003e as standalone executables. This oversight allows attackers to bypass the intended command restrictions by executing arbitrary commands through \u003ccode\u003esh -c '\u0026lt;command\u0026gt;'\u003c/code\u003e.  Versions of PraisonAI up to 4.5.96 are affected. This means that any command blocked by the configured policy can be trivially executed, which could allow agent prompt injection attacks to lead to full system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious command to be executed within the PraisonAI environment.\u003c/li\u003e\n\u003cli\u003eThe PraisonAI application receives the crafted command and attempts to execute it within the \u003ccode\u003eSubprocessSandbox\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSubprocessSandbox\u003c/code\u003e uses \u003ccode\u003esubprocess.run()\u003c/code\u003e with \u003ccode\u003eshell=True\u003c/code\u003e to execute the provided command.\u003c/li\u003e\n\u003cli\u003eThe blocklist in \u003ccode\u003esandbox_executor.py\u003c/code\u003e fails to block the \u003ccode\u003esh\u003c/code\u003e or \u003ccode\u003ebash\u003c/code\u003e commands themselves.\u003c/li\u003e\n\u003cli\u003eThe attacker injects shell commands via \u003ccode\u003esh -c '\u0026lt;blocked_command\u0026gt;'\u003c/code\u003e, bypassing the string-pattern matching intended to restrict execution.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esh\u003c/code\u003e process executes the attacker\u0026rsquo;s command within the sandbox\u0026rsquo;s context, bypassing the intended security restrictions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to resources such as network connections, the filesystem, or cloud metadata services.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges and potentially compromises the entire system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass the intended security restrictions imposed by the PraisonAI \u003ccode\u003eSubprocessSandbox\u003c/code\u003e, even in its strictest configuration. This could lead to privilege escalation, unauthorized access to sensitive data, and the potential compromise of the entire system. Specifically, an attacker could leverage this escape to access network resources, manipulate the filesystem, or extract sensitive information from cloud metadata services. The lack of effective sandboxing could have severe consequences for environments relying on PraisonAI for secure execution of untrusted code.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the suggested fix of using \u003ccode\u003eshlex.split()\u003c/code\u003e and \u003ccode\u003eshell=False\u003c/code\u003e when calling \u003ccode\u003esubprocess.run()\u003c/code\u003e to prevent shell command injection (reference: suggested fix code block).\u003c/li\u003e\n\u003cli\u003eUpgrade PraisonAI to a version beyond 4.5.96 to incorporate the patch for CVE-2026-34955 (reference: CVE-2026-34955).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect the execution of \u003ccode\u003esh\u003c/code\u003e or \u003ccode\u003ebash\u003c/code\u003e with the \u003ccode\u003e-c\u003c/code\u003e option, which is indicative of attempts to bypass command restrictions (reference: Sigma rule \u0026ldquo;Detect sh/bash Command Execution with -c Option\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement a more comprehensive blocklist that includes \u003ccode\u003esh\u003c/code\u003e and \u003ccode\u003ebash\u003c/code\u003e as standalone executables in addition to dangerous patterns (reference: \u003ccode\u003esandbox_executor.py:179\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-01T23:26:01Z","date_published":"2026-04-01T23:26:01Z","id":"/briefs/2024-01-03-praisonai-sandbox-escape/","summary":"PraisonAI's SubprocessSandbox allows attackers to bypass command restrictions due to the use of `shell=True` in `subprocess.run()` combined with an insufficient blocklist that does not include `sh` or `bash`, enabling command execution via `sh -c '\u003ccommand\u003e'`.","title":"PraisonAI SubprocessSandbox Shell Escape via sh/bash","url":"https://feed.craftedsignal.io/briefs/2024-01-03-praisonai-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","sandbox-escape","authorization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-32918 affects OpenClaw versions prior to 2026.3.11. The vulnerability resides in the \u003ccode\u003esession_status\u003c/code\u003e tool, which is intended to manage sandboxed subagents. However, a flaw allows these sandboxed agents to bypass their intended restrictions and access session data belonging to parent or sibling sessions. An attacker can exploit this by supplying arbitrary \u003ccode\u003esessionKey\u003c/code\u003e values, enabling them to read and modify sensitive session data, including persisted model overrides, far beyond the…\u003c/p\u003e\n","date_modified":"2026-03-29T13:17:00Z","date_published":"2026-03-29T13:17:00Z","id":"/briefs/2026-03-openclaw-sandbox-escape/","summary":"OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool, allowing sandboxed subagents to access and modify session data outside their intended scope.","title":"OpenClaw Session Sandbox Escape Vulnerability (CVE-2026-32918)","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sandbox-escape","privilege-escalation","cve-2026-32915"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-32915 describes a critical sandbox escape vulnerability affecting OpenClaw versions prior to 2026.3.11. The flaw resides in the insufficient authorization checks implemented on subagent control requests. A low-privilege sandboxed leaf worker can exploit this to bypass the intended sandbox boundaries and access the subagents control surface. This allows the attacker to resolve requests against the parent requester scope, instead of being limited to their own session tree. This…\u003c/p\u003e\n","date_modified":"2026-03-29T13:16:59Z","date_published":"2026-03-29T13:16:59Z","id":"/briefs/2026-03-openclaw-sandbox-bypass/","summary":"OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability that allows low-privilege leaf subagents to access the subagents control surface and execute commands with broader tool policies due to insufficient authorization checks, potentially leading to privilege escalation and unauthorized control of sibling processes.","title":"OpenClaw Sandbox Boundary Bypass Vulnerability (CVE-2026-32915)","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-sandbox-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["use-after-free","sandbox-escape","firefox","thunderbird"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4725 is a critical use-after-free vulnerability impacting the Canvas2D graphics component in Mozilla Firefox and Thunderbird. Specifically, versions prior to 149 are affected. This vulnerability could allow an attacker to potentially escape the browser\u0026rsquo;s or email client\u0026rsquo;s sandbox. The vulnerability stems from improper memory management in the Canvas2D component, where freed memory is accessed again. Successful exploitation of this flaw could grant an attacker elevated privileges or the…\u003c/p\u003e\n","date_modified":"2026-03-24T13:16:08Z","date_published":"2026-03-24T13:16:08Z","id":"/briefs/2026-03-cve-2026-4725/","summary":"A use-after-free vulnerability in the Canvas2D component of Mozilla Firefox and Thunderbird versions before 149 allows for a potential sandbox escape.","title":"Mozilla Firefox and Thunderbird Canvas2D Use-After-Free Vulnerability (CVE-2026-4725)","url":"https://feed.craftedsignal.io/briefs/2026-03-cve-2026-4725/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["use-after-free","sandbox-escape","cve-2026-4688"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4688 is a critical use-after-free vulnerability residing within the Disability Access APIs component of Mozilla Firefox and Thunderbird. Discovered and reported by Mozilla, this flaw allows for a sandbox escape, meaning an attacker could potentially execute arbitrary code outside the security sandbox normally imposed by the browser or email client. This vulnerability affects Firefox versions prior to 149, Firefox ESR (Extended Support Release) versions prior to 140.9, Thunderbird…\u003c/p\u003e\n","date_modified":"2026-03-24T13:16:04Z","date_published":"2026-03-24T13:16:04Z","id":"/briefs/2026-03-firefox-use-after-free/","summary":"A use-after-free vulnerability in the Disability Access APIs component of Mozilla Firefox and Thunderbird (CVE-2026-4688) allows for sandbox escape, potentially leading to arbitrary code execution outside the sandbox.","title":"Mozilla Firefox and Thunderbird Use-After-Free Vulnerability (CVE-2026-4688)","url":"https://feed.craftedsignal.io/briefs/2026-03-firefox-use-after-free/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sandbox-escape","firefox","thunderbird","cve-2026-4687"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4687 is a critical sandbox escape vulnerability affecting Mozilla Firefox and Thunderbird. The vulnerability stems from incorrect boundary conditions within the Telemetry component. Specifically, Firefox versions prior to 149, Firefox ESR versions prior to 115.34 and 140.9, and Thunderbird versions prior to 149 and 140.9 are affected. Successful exploitation could allow an attacker to bypass the intended security restrictions of the sandbox environment and potentially execute arbitrary…\u003c/p\u003e\n","date_modified":"2026-03-24T13:16:04Z","date_published":"2026-03-24T13:16:04Z","id":"/briefs/2026-03-firefox-sandbox-escape/","summary":"CVE-2026-4687 is a sandbox escape vulnerability in Firefox and Thunderbird due to incorrect boundary conditions in the Telemetry component, potentially allowing an attacker to execute arbitrary code outside the sandbox.","title":"Firefox and Thunderbird Sandbox Escape Vulnerability (CVE-2026-4687)","url":"https://feed.craftedsignal.io/briefs/2026-03-firefox-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sandbox escape","integer overflow","mozilla firefox","mozilla thunderbird","cve-2026-4690"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4690 is a critical vulnerability affecting Mozilla Firefox, Firefox ESR, and Thunderbird. The root cause lies in incorrect boundary conditions coupled with an integer overflow within the XPCOM component. Successful exploitation allows an attacker to bypass the sandbox protections, potentially leading to arbitrary code execution outside the confines of the browser\u0026rsquo;s security measures. The vulnerability impacts Firefox versions earlier than 149, Firefox ESR versions prior to 115.34 and…\u003c/p\u003e\n","date_modified":"2026-03-24T13:16:04Z","date_published":"2026-03-24T13:16:04Z","id":"/briefs/2024-01-cve-2026-4690-firefox-sandbox-escape/","summary":"A sandbox escape vulnerability, identified as CVE-2026-4690, exists in the XPCOM component of Mozilla Firefox, Firefox ESR, and Thunderbird due to incorrect boundary conditions and an integer overflow, potentially allowing an attacker to execute arbitrary code outside the sandbox.","title":"CVE-2026-4690: Mozilla Firefox, Firefox ESR, and Thunderbird XPCOM Sandbox Escape","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-4690-firefox-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["use-after-free","sandbox-escape","chrome","cve-2026-4676"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4676 is a use-after-free vulnerability affecting Google Chrome versions prior to 146.0.7680.165. This flaw resides within the Dawn component of Chrome and can be triggered by a remote attacker who crafts a malicious HTML page. Successful exploitation could lead to a sandbox escape, granting the attacker elevated privileges within the system. This vulnerability was patched in the March 23, 2026 stable channel update for desktop. The vulnerability affects users on Windows, Linux, and…\u003c/p\u003e\n","date_modified":"2026-03-24T01:17:03Z","date_published":"2026-03-24T01:17:03Z","id":"/briefs/2026-03-chrome-uaf/","summary":"A use-after-free vulnerability (CVE-2026-4676) in Google Chrome before 146.0.7680.165 allows a remote attacker to potentially perform a sandbox escape via a crafted HTML page.","title":"Google Chrome Use-After-Free Vulnerability (CVE-2026-4676)","url":"https://feed.craftedsignal.io/briefs/2026-03-chrome-uaf/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["vm2 (\u003c= 3.10.4)"],"_cs_severities":["critical"],"_cs_tags":["sandbox-escape","rce","vm2"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe vm2 library, a popular Node.js sandbox environment, is susceptible to a critical sandbox breakout vulnerability. This flaw allows malicious code executed within the vm2 sandbox to escape its confines and execute arbitrary commands on the host operating system. The vulnerability leverages the \u003ccode\u003e__lookupGetter__\u003c/code\u003e method to bypass context isolation and gain access to host-level functions and objects. Previous attempts to mitigate similar issues were circumvented using \u003ccode\u003eObject.getOwnPropertyDescriptor\u003c/code\u003e to access the constructor property. The vulnerability affects vm2 versions 3.10.4 and earlier. Exploitation allows an attacker to achieve remote code execution with the privileges of the Node.js process running the vm2 sandbox, which could lead to significant system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker injects malicious JavaScript code into the vm2 sandbox.\u003c/li\u003e\n\u003cli\u003eThe injected code retrieves the \u003ccode\u003e__lookupGetter__\u003c/code\u003e method, which is used to access the getter of an object.\u003c/li\u003e\n\u003cli\u003eThe malicious code obtains the \u003ccode\u003eapply\u003c/code\u003e method from the \u003ccode\u003eBuffer\u003c/code\u003e object within the sandbox.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eapply\u003c/code\u003e method is used to invoke the host version of \u003ccode\u003e__lookupGetter__\u003c/code\u003e with \u003ccode\u003eBuffer\u003c/code\u003e and \u003ccode\u003e__proto__\u003c/code\u003e as arguments, gaining access to the host\u0026rsquo;s prototype lookup method.\u003c/li\u003e\n\u003cli\u003eThe host\u0026rsquo;s \u003ccode\u003eFunction.prototype\u003c/code\u003e object is retrieved using the prototype lookup method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003econstructor\u003c/code\u003e property of the \u003ccode\u003eFunction.prototype\u003c/code\u003e object is accessed using \u003ccode\u003eObject.getOwnPropertyDescriptor\u003c/code\u003e to bypass previous mitigation attempts.\u003c/li\u003e\n\u003cli\u003eThe host \u003ccode\u003eFunction\u003c/code\u003e constructor is used to create a new function that returns the \u003ccode\u003eprocess\u003c/code\u003e object, granting access to Node.js runtime functions on the host.\u003c/li\u003e\n\u003cli\u003eThe code then uses \u003ccode\u003echild_process.execSync\u003c/code\u003e to execute arbitrary commands on the host system (e.g., \u003ccode\u003etouch pwned\u003c/code\u003e).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to execute arbitrary code on the host system. Given the critical nature of many applications that employ sandboxing, this can lead to complete system compromise, data exfiltration, and denial of service. The vulnerability affects vm2 versions up to and including 3.10.4. The impact includes remote code execution, potentially leading to sensitive data exposure, system takeover, or further lateral movement within a network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of vm2 greater than 3.10.4 to remediate CVE-2026-24118.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization to minimize the risk of malicious code injection into the vm2 sandbox.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events on the host system for suspicious activity originating from Node.js processes, which may indicate a sandbox escape (see the process_creation Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of commands such as \u003ccode\u003echild_process.execSync\u003c/code\u003e called from within vm2 sandboxes to detect potential exploitation attempts (see the \u003ccode\u003enodejs_child_process_exec\u003c/code\u003e Sigma rule).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-vm2-sandbox-breakout/","summary":"VM2 is vulnerable to a sandbox breakout via the `__lookupGetter__` method, enabling attackers to execute arbitrary commands on the host system by exploiting context switching and property descriptor manipulation, leading to remote code execution.","title":"VM2 Sandbox Escape via __lookupGetter__ Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-vm2-sandbox-breakout/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openlearnx"],"_cs_severities":["critical"],"_cs_tags":["rce","sandbox escape","code injection"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-41900, has been identified in the OpenLearnX code execution environment. This vulnerability allows an attacker to escape the Python sandbox and execute arbitrary commands on the underlying system. The vulnerability affects OpenLearnX versions prior to 2.0.3. A patch has been released in version 2.0.3 to address this issue. This vulnerability allows attackers to potentially compromise the entire system hosting the OpenLearnX application, leading to data breaches, service disruption, or complete system takeover.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious payload designed to exploit the Python sandbox environment within OpenLearnX.\u003c/li\u003e\n\u003cli\u003eThis payload is submitted to the OpenLearnX application through a vulnerable code execution endpoint.\u003c/li\u003e\n\u003cli\u003eThe application processes the malicious payload, failing to properly neutralize special elements.\u003c/li\u003e\n\u003cli\u003eThe crafted payload bypasses the sandbox restrictions, gaining unauthorized access to system resources.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages OS Command Injection (CWE-78) and Code Injection (CWE-94) to execute arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThese commands can be used to install malware, modify system configurations, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges due to the Execution with Unnecessary Privileges (CWE-250) vulnerability.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is to gain complete control over the OpenLearnX server, potentially impacting all hosted applications and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41900 allows for complete system compromise, leading to potential data breaches, service disruption, or complete system takeover. While specific victim counts are unavailable, the severity of the vulnerability and ease of exploitation make it a critical concern for any organization using affected versions of OpenLearnX. Successful exploitation could lead to unauthorized access to sensitive data, modification of system configurations, and the installation of malware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenLearnX to version 2.0.3 or later to patch CVE-2026-41900.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious OpenLearnX Code Execution\u0026rdquo; to your SIEM to detect potential exploitation attempts (see rule below).\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization measures to prevent OS command injection and code injection attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T18:00:00Z","date_published":"2024-01-02T18:00:00Z","id":"/briefs/2024-01-02-openlearnx-rce/","summary":"A critical RCE vulnerability in OpenLearnX allows for sandbox escape and arbitrary command execution in versions prior to 2.0.3.","title":"OpenLearnX Remote Code Execution via Python Sandbox Escape","url":"https://feed.craftedsignal.io/briefs/2024-01-02-openlearnx-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openclaw (\u003c= 2026.4.21)"],"_cs_severities":["high"],"_cs_tags":["sandbox-escape","symlink","race-condition","npm"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eOpenClaw, a tool available via npm, contains a vulnerability in versions 2026.4.21 and earlier that could allow for a sandbox escape. This vulnerability stems from a time-of-check/time-of-use (TOCTOU) race condition during filesystem writes within the OpenShell sandbox environment. An attacker could potentially exploit this vulnerability by manipulating symlinks to redirect write operations outside of the intended local mount root. This can occur because OpenClaw does not properly validate the target of write operations against the mount root, leaving it susceptible to symlink-based redirection attacks. Successful exploitation could allow an attacker to modify sensitive files outside the sandbox. The vulnerability is fixed in version 2026.4.22.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious OpenClaw package or leverages an existing package.\u003c/li\u003e\n\u003cli\u003eThe package contains a symlink within the intended sandbox directory.\u003c/li\u003e\n\u003cli\u003eThe OpenClaw application attempts to write to a file via the symlink.\u003c/li\u003e\n\u003cli\u003eBetween the time OpenClaw checks the symlink and the time it performs the write operation, the attacker replaces the symlink with a new symlink pointing outside the intended sandbox root.\u003c/li\u003e\n\u003cli\u003eOpenClaw, due to the TOCTOU race condition, writes to the file location pointed to by the new symlink, which resides outside the sandbox.\u003c/li\u003e\n\u003cli\u003eThis allows the attacker to overwrite or modify arbitrary files on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this capability to gain elevated privileges or compromise sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow an attacker to bypass the intended security restrictions of the OpenClaw sandbox. An attacker could potentially overwrite system files, inject malicious code into existing applications, or steal sensitive data. While the exact number of affected installations is unknown, any system running a vulnerable version of OpenClaw is susceptible to this attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to OpenClaw version 2026.4.22 or later to patch the vulnerability (reference: Affected Packages / Versions).\u003c/li\u003e\n\u003cli\u003eMonitor file system events for unexpected modifications outside of the expected OpenClaw sandbox directory. Deploy the Sigma rule \u003ccode\u003eDetect OpenClaw Sandbox Escape via Symlink\u003c/code\u003e to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement stricter file system access controls to limit the potential impact of successful exploitation (reference: Impact).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-openclaw-symlink/","summary":"A time-of-check/time-of-use (TOCTOU) race condition in OpenClaw versions 2026.4.21 and earlier allows a symlink swap to redirect filesystem writes outside the intended sandbox mount root, potentially leading to arbitrary file modification.","title":"OpenClaw Symlink Race Condition Allows Sandbox Escape","url":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-symlink/"}],"language":"en","title":"CraftedSignal Threat Feed — Sandbox Escape","version":"https://jsonfeed.org/version/1.1"}