CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-48543 – Android Runtime Use-After-Free Vulnerability
https://notcve.org/view.php?id=CVE-2025-48543
04 Sep 2025 — In multiple locations, there is a possible way to escape chrome sandbox to attack android system_server due to a use after free. ... Android Runtime contains a use-after-free vulnerability potentially allowing a chrome sandbox escape leading to local privilege escalation. • https://android.googlesource.com/platform/art/+/444fc40dfb04d2ec5f74c443ed3a4dd45d3131f2 • CWE-416: Use After Free •
CVSS: 9.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-9959 – Sandbox escape in smolagents Local Python execution environment via dunder attributes
https://notcve.org/view.php?id=CVE-2025-9959
03 Sep 2025 — Incomplete validation of dunder attributes allows an attacker to escape from the Local Python execution environment sandbox, enforced by smolagents. • https://research.jfrog.com/vulnerabilities/smolagents-local-python-sandbox-escape-jfsa-2025-001434277 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-9185 – thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142
https://notcve.org/view.php?id=CVE-2025-9185
19 Aug 2025 — Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or bypass of the same-origin policy. • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1970154%2C1976782%2C1977166 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-9181 – thunderbird: firefox: Uninitialized memory in the JavaScript Engine component
https://notcve.org/view.php?id=CVE-2025-9181
19 Aug 2025 — Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or bypass of the same-origin policy. • https://bugzilla.mozilla.org/show_bug.cgi?id=1977130 • CWE-457: Use of Uninitialized Variable CWE-665: Improper Initialization •
CVSS: 9.4EPSS: 0%CPEs: 9EXPL: 0CVE-2025-9180 – thunderbird: firefox: Same-origin policy bypass in the Graphics: Canvas2D component
https://notcve.org/view.php?id=CVE-2025-9180
19 Aug 2025 — Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or bypass of the same-origin policy. • https://bugzilla.mozilla.org/show_bug.cgi?id=1979782 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-346: Origin Validation Error •
CVSS: 10.0EPSS: 0%CPEs: 9EXPL: 0CVE-2025-9179 – thunderbird: firefox: Sandbox escape due to invalid pointer in the Audio/Video: GMP component
https://notcve.org/view.php?id=CVE-2025-9179
19 Aug 2025 — Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, sandbox escape or bypass of the same-origin policy. • https://bugzilla.mozilla.org/show_bug.cgi?id=1979527 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 10.0EPSS: 5%CPEs: 1EXPL: 0CVE-2025-54782 – @nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers
https://notcve.org/view.php?id=CVE-2025-54782
01 Aug 2025 — When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). ... One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. • https://github.com/JLLeitschuh/nestjs-devtools-integration-rce-poc • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-34146 – nyariv sandboxjs 0.8.23 Prototype Pollution Sandbox Escape DoS
https://notcve.org/view.php?id=CVE-2025-34146
31 Jul 2025 — This can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. The vulnerability stems from insufficient prototype access checks in the sandbox’s executor logic, particularly in the handling of JavaScript function objects returned. • https://github.com/nyariv/SandboxJS/issues/31 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-41688 – High Privilege RCE via LUA Sandbox Escape
https://notcve.org/view.php?id=CVE-2025-41688
31 Jul 2025 — A high privileged remote attacker can execute arbitrary OS commands using an undocumented method allowing to escape the implemented LUA sandbox. • https://certvde.com/de/advisories/VDE-2025-065 • CWE-653: Improper Isolation or Compartmentalization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-5120 – Sandbox Escape Vulnerability in huggingface/smolagents
https://notcve.org/view.php?id=CVE-2025-5120
27 Jul 2025 — A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted execution environment and achieve remote code execution (RCE). ... Se identificó una vulnerabilidad de escape del entorno de pruebas en la versión 1.14.0 de huggingface/smolagents, que permite a los atacantes eludir el entorno de ejecución restringido y lograr la ejecución remota de código (RCE). • https://github.com/huggingface/smolagents/commit/33a942e62b6fbf6a35d41f1c735bda2d64c163d0 • CWE-94: Improper Control of Generation of Code ('Code Injection') •