
CVE-2025-9185 – thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142
https://notcve.org/view.php?id=CVE-2025-9185
19 Aug 2025 — Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or bypass of the same-origin policy. • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1970154%2C1976782%2C1977166 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVE-2025-9181 – thunderbird: firefox: Uninitialized memory in the JavaScript Engine component
https://notcve.org/view.php?id=CVE-2025-9181
19 Aug 2025 — Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or bypass of the same-origin policy. • https://bugzilla.mozilla.org/show_bug.cgi?id=1977130 • CWE-457: Use of Uninitialized Variable CWE-665: Improper Initialization •

CVE-2025-9180 – thunderbird: firefox: Same-origin policy bypass in the Graphics: Canvas2D component
https://notcve.org/view.php?id=CVE-2025-9180
19 Aug 2025 — Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or bypass of the same-origin policy. • https://bugzilla.mozilla.org/show_bug.cgi?id=1979782 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-346: Origin Validation Error •

CVE-2025-9179 – thunderbird: firefox: Sandbox escape due to invalid pointer in the Audio/Video: GMP component
https://notcve.org/view.php?id=CVE-2025-9179
19 Aug 2025 — Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or bypass of the same-origin policy. • https://bugzilla.mozilla.org/show_bug.cgi?id=1979527 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVE-2025-54782 – @nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers
https://notcve.org/view.php?id=CVE-2025-54782
01 Aug 2025 — When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). ... One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. • https://github.com/JLLeitschuh/nestjs-devtools-integration-rce-poc • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-352: Cross-Site Request Forgery (CSRF) •

CVE-2025-34146 – nyariv sandboxjs 0.8.23 Prototype Pollution Sandbox Escape DoS
https://notcve.org/view.php?id=CVE-2025-34146
31 Jul 2025 — This can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. The vulnerability stems from insufficient prototype access checks in the sandbox’s executor logic, particularly in the handling of JavaScript function objects returned. • https://github.com/nyariv/SandboxJS/issues/31 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •

CVE-2025-41688 – High Privilege RCE via LUA Sandbox Escape
https://notcve.org/view.php?id=CVE-2025-41688
31 Jul 2025 — A high privileged remote attacker can execute arbitrary OS commands using an undocumented method allowing to escape the implemented LUA sandbox. • https://certvde.com/de/advisories/VDE-2025-065 • CWE-653: Improper Isolation or Compartmentalization •

CVE-2025-5120 – Sandbox Escape Vulnerability in huggingface/smolagents
https://notcve.org/view.php?id=CVE-2025-5120
27 Jul 2025 — A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted execution environment and achieve remote code execution (RCE). ... Se identificó una vulnerabilidad de escape del entorno de pruebas en la versión 1.14.0 de huggingface/smolagents, que permite a los atacantes eludir el entorno de ejecución restringido y lograr la ejecución remota de código (RCE). • https://github.com/huggingface/smolagents/commit/33a942e62b6fbf6a35d41f1c735bda2d64c163d0 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-53927 – MaxKB sandbox bypass
https://notcve.org/view.php?id=CVE-2025-53927
17 Jul 2025 — Prior to version 2.0.0, the sandbox design rules can be bypassed because MaxKB only restricts the execution permissions of files in a specific directory. • https://github.com/1Panel-dev/MaxKB/releases/tag/v2.0.0 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-6558 – Google Chromium ANGLE and GPU Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2025-6558
15 Jul 2025 — Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. ... This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. • https://github.com/allinsthon/CVE-2025-6558-exp • CWE-76: Improper Neutralization of Equivalent Special Elements •