CVE-2026-25905

The Python code being run by 'runPython' or 'runPythonAsync' is not isolated from the rest of the JS code, allowing any Python code to use the Pyodide APIs to modify the JS environment. This may result in an attacker hijacking the MCP server - for malicious purposes including MCP tool shadowing...

Pydantic 安全漏洞

Pydantic is an open-source library developed by Pydantic developers. It allows for data validation using Python type hints. Pydantic has a security vulnerability that stems from the lack of isolation between Python code and JavaScript code. This vulnerability could potentially lead to the hijacki...

CVE-2025-62410

CVE-2025-62410 affects happy-dom prior to version 20.0.2, where the --disallow-code-generation-from-strings mitigation does not fully isolate untrusted JavaScript. The untrusted script and the rest of the application run in the same Isolate/process, allowing prototype-pollution payloads to hijack...

CVE-2025-32792 ses's global contour bindings leak into Compartment lexical scope

SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using ses and the Compartment API to evaluate third-party code in an isolated execution environment that hav...