CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2026-34430 – ByteDance DeerFlow LocalSandboxProvider Host Bash Escape
https://notcve.org/view.php?id=CVE-2026-34430
01 Apr 2026 — ByteDance Deer-Flow versions prior to commit 92c7a20 contain a sandbox escape vulnerability in bash tool handling that allows attackers to execute arbitrary commands on the host system by bypassing regex-based validation using shell features such as directory changes and relative paths. • https://github.com/bytedance/deer-flow/commit/92c7a20cb74addc3038d2131da78f2e239ef542e • CWE-184: Incomplete List of Disallowed Inputs •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2026-34451 – Claude SDK for TypeScript: Memory Tool Path Validation Allows Sandbox Escape to Sibling Directories
https://notcve.org/view.php?id=CVE-2026-34451
31 Mar 2026 — Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.81.0, the local filesystem memory tool in the Anthropic TypeScript SDK validated model-supplied paths using a string prefix check that did not append a trailing path separator. A model steered by prompt injection could supply a crafted path that resolved to a sibling directory sharing the memory root's name as a prefix, allowing reads and writes outside ... • https://github.com/anthropics/anthropic-sdk-typescript/commit/0ac69b3438ee9c96b21a7d3c39c07b7cdb6995d9 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-41: Improper Resolution of Path Equivalence •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-34452 – Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox Escape
https://notcve.org/view.php?id=CVE-2026-34452
31 Mar 2026 — The Claude SDK for Python provides access to the Claude API from Python applications. From version 0.86.0 to before version 0.87.0, the async local filesystem memory tool in the Anthropic Python SDK validated that model-supplied paths resolved inside the sandboxed memory directory, but then returned the unresolved path for subsequent file operations. A local attacker able to write to the memory directory could retarget a symlink between validation and use, causing reads or writes to escape the sandbox. The ... • https://github.com/anthropics/anthropic-sdk-python/commit/6599043eee6e86dce16953fcd1fd828052052be6 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2026-33581 – OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters
https://notcve.org/view.php?id=CVE-2026-33581
31 Mar 2026 — OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. • https://github.com/openclaw/openclaw/commit/1d7cb6fc03552bbba00e7cffb3aa9741f5556416 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.9EPSS: 5%CPEs: 1EXPL: 0CVE-2026-34156 – NocoBase Affected by Sandbox Escape to RCE via console.
https://notcve.org/view.php?id=CVE-2026-34156
31 Mar 2026 — NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. • https://github.com/nocobase/nocobase/pull/8967 • CWE-913: Improper Control of Dynamically-Managed Code Resources •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2026-28505 – Tautulli: RCE via eval() sandbox bypass using lambda nested scope to escape co_names whitelist check
https://notcve.org/view.php?id=CVE-2026-28505
30 Mar 2026 — Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in notification_handler.py implements a sandboxed eval() for notification text templates. The sandbox attempts to restrict callable names by inspecting code.co_names of the compiled code object. However, co_names only contains names from the outer code object. When a lambda expression is used, it creates a nested code object whose attribute accesses are stored in code.co_consts, NO... • https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 9.2EPSS: 0%CPEs: 1EXPL: 0CVE-2026-32918 – OpenClaw < 2026.3.11 - Session Sandbox Escape via session_status Tool
https://notcve.org/view.php?id=CVE-2026-32918
29 Mar 2026 — OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. • https://www.vulncheck.com/advisories/openclaw-session-sandbox-escape-via-session-status-tool • CWE-863: Incorrect Authorization •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2026-33396 – OneUptime has sandbox escape in Synthetic Monitor Playwright runtime allows project members to execute arbitrary commands on Probe
https://notcve.org/view.php?id=CVE-2026-33396
26 Mar 2026 — OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.35, a low-privileged authenticated user (ProjectMember) can achieve remote command execution on the Probe container/host by abusing Synthetic Monitor Playwright script execution. Synthetic monitor code is executed in VMRunner.runCodeInNodeVM with a live Playwright page object in context. The sandbox relies on a denylist of blocked properties/methods, but it is incomplete. Specifically, _browserType and launchServer are ... • https://github.com/OneUptime/oneuptime/commit/e8e4ee3ff0740eb131045ab3d67453141c46178a • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-184: Incomplete List of Disallowed Inputs CWE-693: Protection Mechanism Failure •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-4725 – Sandbox escape due to use-after-free in the Graphics: Canvas2D component
https://notcve.org/view.php?id=CVE-2026-4725
24 Mar 2026 — Sandbox escape due to use-after-free in the Graphics: Canvas2D component. • https://bugzilla.mozilla.org/show_bug.cgi?id=2017108 • CWE-416: Use After Free •
CVSS: 9.6EPSS: 0%CPEs: -EXPL: 0CVE-2026-4692 – Sandbox escape in the Responsive Design Mode component
https://notcve.org/view.php?id=CVE-2026-4692
24 Mar 2026 — Sandbox escape in the Responsive Design Mode component. • https://bugzilla.mozilla.org/show_bug.cgi?id=2017643 •