CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-27597 – @enclave-vm/core is vulnerable to Sandbox Escape
https://notcve.org/view.php?id=CVE-2026-27597
25 Feb 2026 — Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the security boundraries set by `@enclave-vm/core`, which can be used to achieve remote code execution (RCE). The issue has been fixed in version 2.11.1. • https://github.com/agentfront/enclave/commit/09afbebe4cb6d0586c1145aa71ffabd2103932db • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2026-2778 – Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component
https://notcve.org/view.php?id=CVE-2026-2778
24 Feb 2026 — Sandbox escape due to incorrect boundary conditions in the DOM: Core & HTML component. • https://bugzilla.mozilla.org/show_bug.cgi?id=2016358 •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2026-2776 – Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software
https://notcve.org/view.php?id=CVE-2026-2776
24 Feb 2026 — Sandbox escape due to incorrect boundary conditions in the Telemetry component in External Software. • https://bugzilla.mozilla.org/show_bug.cgi?id=2015266 •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2026-2768 – Sandbox escape in the Storage: IndexedDB component
https://notcve.org/view.php?id=CVE-2026-2768
24 Feb 2026 — Sandbox escape in the Storage: IndexedDB component. • https://bugzilla.mozilla.org/show_bug.cgi?id=2014101 •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2026-2761 – Sandbox escape in the Graphics: WebRender component
https://notcve.org/view.php?id=CVE-2026-2761
24 Feb 2026 — Sandbox escape in the Graphics: WebRender component. • https://bugzilla.mozilla.org/show_bug.cgi?id=2011063 •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2026-2760 – Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component
https://notcve.org/view.php?id=CVE-2026-2760
24 Feb 2026 — Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. • https://bugzilla.mozilla.org/show_bug.cgi?id=2011062 •
CVSS: 9.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-11165
https://notcve.org/view.php?id=CVE-2025-11165
24 Feb 2026 — A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl. • https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-74 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2026-27574 – OneUptime: node:vm sandbox escape in probe allows any project member to achieve RCE
https://notcve.org/view.php?id=CVE-2026-27574
21 Feb 2026 — In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js's node:vm module (explicitly documented as not a security mechanism) to execute user-supplied code, allowing trivial sandbox escape via a well-known one-liner that grants full access to the underlying process. • https://github.com/OneUptime/oneuptime/commit/7f9ed4d43945574702a26b7c206e38cc344fe427 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2026-26268 – Cursor sandbox escape via Git hooks
https://notcve.org/view.php?id=CVE-2026-26268
13 Feb 2026 — Sandbox escape via writing .git configuration was possible in versions prior to 2.5. • https://github.com/cursor/cursor/security/advisories/GHSA-8pcm-8jpx-hv8r • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-25881 – @nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape)
https://notcve.org/view.php?id=CVE-2026-25881
09 Feb 2026 — Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. • https://github.com/nyariv/SandboxJS/commit/f369f8db26649f212a6a9a2e7a1624cb2f705b53 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •