CVE-2026-25533

Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the error objects does not cover the peculiar...

Code Injection

Enclave is vulnerable to Code Injection. The vulnerability is due to exposure of a host-side Error object with an intact prototype chain to sandboxed code, which allows an attacker to traverse to the host Function constructor and execute arbitrary code in the Node.js host runtime...

CVE-2026-22686

Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails,...

enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain

A critical sandbox escape vulnerability exists in enclave-vm affected: 2.6.0, patched: 2.7.0 that can allow untrusted, sandboxed JavaScript to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Erro...

CVE-2026-22686

The CVE-2026-22686 issue affects enclave-vm prior to version 2.7.0. A sandbox escape exists when a tool invocation fails and a host-side Error object is leaked into the sandbox, allowing traversal of the host realm prototype chain to reach the host Function constructor. This enables arbitrary cod...

PT-2026-2792

Name of the Vulnerable Software and Affected Versions Enclave versions prior to 2.7.0 Description Enclave is a secure JavaScript sandbox used for safe AI agent code execution. A critical sandbox escape issue exists in enclave-vm, allowing untrusted JavaScript code to execute arbitrary code in the...

EUVD-2025-34783

A Use-After-Free UAF vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises ts-rejectedpromiselist. The function jsstdpromiserejectioncheck attempts to iterate over the rejectedpromiselist to report unhandled rejections usi...

EUVD-2018-9812

Malware in sbrugna...

CVE-2024-42329

The webdriver for the Browser object expects an error object to be initialized when the webdriversessionquery function fails. But this function can fail for various reasons without an error description and then the wd-error will be NULL and trying to read from it will result in a crash...

CVE-2024-42329

The webdriver for the Browser object expects an error object to be initialized when the webdriversessionquery function fails. But this function can fail for various reasons without an error description and then the wd-error will be NULL and trying to read from it will result in a crash...

CVE-2024-42329

CVE-2024-42329 affects Zabbix (versions 7.0.0–7.0.3) where the Browser object’s webdriver_session_query may fail without an initialized error object, leaving wd->error as NULL and causing a crash when read. Connected sources corroborate the same underlying flaw across various advisories (e.g.,...

CVE-2024-42329

The webdriver for the Browser object expects an error object to be initialized when the webdriversessionquery function fails. But this function can fail for various reasons without an error description and then the wd-error will be NULL and trying to read from it will result in a crash...

CVE-2024-42329 JS - Crash on unexpected HTTP server response

The webdriver for the Browser object expects an error object to be initialized when the webdriversessionquery function fails. But this function can fail for various reasons without an error description and then the wd-error will be NULL and trying to read from it will result in a crash...

DEBIAN-CVE-2024-47532

RestrictedPython is a restricted execution environment for Python to run untrusted code. A user can gain access to protected and potentially sensible information indirectly via AttributeError.obj and the string module. The problem will be fixed in version 7.3. As a workaround, If the application...

SUSE CVE-2018-18073

Artifex Ghostscript allows attackers to bypass a sandbox protection mechanism by leveraging exposure of system operators in the saved execution stack in an error object...

CVE-2020-15125

In auth0 npm package versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer...

CVE-2020-15125 Authorization header is not sanitized in an error object in auth0

In auth0 npm package versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer...

GHSA-PRFQ-F66G-43MP Information disclosure through error object in auth0.js

Overview Between versions 8.0.0 and 9.13.1inclusive, in the case of an authentication error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification...

Information disclosure through error object in auth0.js

Overview Between versions 8.0.0 and 9.13.1inclusive, in the case of an authentication error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification...

Design/Logic Flaw

auth0.js NPM package auth0-js greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an authentication error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the err...