Monthly
Exposure of a scanning VM's VNC service in Fortinet FortiSandbox 5.0.0-5.0.2 and 4.4.3-4.4.8 lets an unauthenticated remote attacker reach the VNC server of the sandbox virtual machines used for malware detonation via ordinary network requests. Because these VMs run and observe live malware samples, unauthorized VNC access can expose sensitive analysis sessions and potentially allow interaction with the detonation environment. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Information disclosure in DeepMyst Mysti's Per-Project Auto-Memory Handler allows low-privileged remote attackers to expose resources by supplying a manipulated workspacePath argument to the initProjectMemory function in src/managers/MemoryManager.ts. EUVD-2026-41610 confirms versions 0.1 through 0.4.0 are affected. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis; the CVSS 4.0 score of 5.3 reflects a limited, confidentiality-only impact with no integrity or availability consequences.
Information disclosure in PraisonAI before 1.5.115 allows authenticated agents to read other agents' system prompts and conversation history by exploiting missing uniqueness enforcement on agent identifiers in the MultiAgentLedger component. An attacker who can register an agent with a colliding ID receives the same ledger instance as the victim, breaking tenant isolation in multi-agent deployments. No public exploit identified at time of analysis, though the upstream GHSA advisory (GHSA-766v-q9x3-g744) publishes a working proof-of-concept demonstrating the collision.
Cross-authority JWT signing key confusion in Steeltoe authentication libraries allows tokens issued by one identity provider to be accepted by application schemes configured for a different authority. Affected are CloudFoundryBase prior to 3.4.0, JwtBearer prior to 4.2.0, and OpenIdConnect prior to 4.2.0 when deployed in multi-scheme configurations. No public exploit has been identified at time of analysis; vendor patches are available and no CISA KEV listing exists.
Information disclosure in OpenClaw before 2026.4.26 leaks the real host workspace path through sandboxed session spawning, exposing filesystem location and potentially related memory context to child AI model prompts. Authenticated users with low-privilege access can trigger this by spawning child sessions from sandboxed parent sessions, undermining the isolation guarantees of the sandbox environment. With a CVSS 4.0 score of 2.3, no public exploit code, and no CISA KEV listing, this is a low-severity but architecturally meaningful sandbox escape of information relevant to AI agent deployments.
Improper path handling in the mod_dav_fs module of Apache HTTP Server 2.4.67 and earlier permits a WebDAV content author to directly manipulate trusted DAV property databases, leading to integrity violations and child process crashes. With a CVSS of 9.1 (AV:N/AC:L/PR:N/UI:N) and SSVC technical impact rated 'total' with automatable=yes, the flaw is highly impactful, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Physical USB tampering against Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations allows an attacker with bedside access to compromise software integrity, alter therapy data, and pivot to connected networks or Dräger Service Connect. The flaw, disclosed by VulnCheck and tracked under CWE-668 (Exposure of Resource to Wrong Sphere), carries a CVSS 4.0 base score of 7.0 reflecting high impact across confidentiality, integrity, and availability of the device itself. There is no public exploit identified at time of analysis and no CISA KEV listing, but the medical-device context elevates patient-safety concern even at moderate technical severity.
Host process data leakage in vm2 (npm/vm2 <= 3.11.3) allows untrusted JavaScript executing inside a NodeVM sandbox to read sensitive host-process state - including HTTP Authorization headers, session tokens, and AsyncLocalStorage request context - by requiring process-wide observability builtins that were incorrectly absent from the DANGEROUS_BUILTINS denylist. The affected modules (diagnostics_channel, async_hooks, perf_hooks) are Node.js process-wide singletons, not sandbox-local constructs, so granting sandbox access to them exposes all host process data flowing through those channels. A publicly available exploit code exists confirming extraction of Bearer tokens and x-session-token headers from live host HTTP requests; this is not confirmed actively exploited (not in CISA KEV).
Algernon's auto-refresh SSE event server unintentionally exposes developer file-change streams to unauthenticated LAN peers on Linux and macOS due to a platform-dependent bind address default that was never intended to reach adjacent hosts. On non-Windows platforms, the SSE listener resolves to 0.0.0.0:5553 (all interfaces), while Windows correctly binds to 127.0.0.1:5553 - a silent asymmetry introduced in engine/flags.go that leaves developers on the most common Algernon platforms exposed whenever they work on shared networks. A publicly available proof-of-concept demonstrates that any host on the same subnet can enumerate project filenames and edit timing with a single unauthenticated curl command, with no developer interaction required; no public exploit identified at time of analysis rises to confirmed active exploitation (not in CISA KEV).
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Exposure of a scanning VM's VNC service in Fortinet FortiSandbox 5.0.0-5.0.2 and 4.4.3-4.4.8 lets an unauthenticated remote attacker reach the VNC server of the sandbox virtual machines used for malware detonation via ordinary network requests. Because these VMs run and observe live malware samples, unauthorized VNC access can expose sensitive analysis sessions and potentially allow interaction with the detonation environment. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Information disclosure in DeepMyst Mysti's Per-Project Auto-Memory Handler allows low-privileged remote attackers to expose resources by supplying a manipulated workspacePath argument to the initProjectMemory function in src/managers/MemoryManager.ts. EUVD-2026-41610 confirms versions 0.1 through 0.4.0 are affected. No active exploitation (CISA KEV) or public exploit code has been identified at time of analysis; the CVSS 4.0 score of 5.3 reflects a limited, confidentiality-only impact with no integrity or availability consequences.
Information disclosure in PraisonAI before 1.5.115 allows authenticated agents to read other agents' system prompts and conversation history by exploiting missing uniqueness enforcement on agent identifiers in the MultiAgentLedger component. An attacker who can register an agent with a colliding ID receives the same ledger instance as the victim, breaking tenant isolation in multi-agent deployments. No public exploit identified at time of analysis, though the upstream GHSA advisory (GHSA-766v-q9x3-g744) publishes a working proof-of-concept demonstrating the collision.
Cross-authority JWT signing key confusion in Steeltoe authentication libraries allows tokens issued by one identity provider to be accepted by application schemes configured for a different authority. Affected are CloudFoundryBase prior to 3.4.0, JwtBearer prior to 4.2.0, and OpenIdConnect prior to 4.2.0 when deployed in multi-scheme configurations. No public exploit has been identified at time of analysis; vendor patches are available and no CISA KEV listing exists.
Information disclosure in OpenClaw before 2026.4.26 leaks the real host workspace path through sandboxed session spawning, exposing filesystem location and potentially related memory context to child AI model prompts. Authenticated users with low-privilege access can trigger this by spawning child sessions from sandboxed parent sessions, undermining the isolation guarantees of the sandbox environment. With a CVSS 4.0 score of 2.3, no public exploit code, and no CISA KEV listing, this is a low-severity but architecturally meaningful sandbox escape of information relevant to AI agent deployments.
Improper path handling in the mod_dav_fs module of Apache HTTP Server 2.4.67 and earlier permits a WebDAV content author to directly manipulate trusted DAV property databases, leading to integrity violations and child process crashes. With a CVSS of 9.1 (AV:N/AC:L/PR:N/UI:N) and SSVC technical impact rated 'total' with automatable=yes, the flaw is highly impactful, though there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Physical USB tampering against Dräger Zeus Infinity Empowered (Zeus IE) and Zeus RS C500 anesthesia workstations allows an attacker with bedside access to compromise software integrity, alter therapy data, and pivot to connected networks or Dräger Service Connect. The flaw, disclosed by VulnCheck and tracked under CWE-668 (Exposure of Resource to Wrong Sphere), carries a CVSS 4.0 base score of 7.0 reflecting high impact across confidentiality, integrity, and availability of the device itself. There is no public exploit identified at time of analysis and no CISA KEV listing, but the medical-device context elevates patient-safety concern even at moderate technical severity.
Host process data leakage in vm2 (npm/vm2 <= 3.11.3) allows untrusted JavaScript executing inside a NodeVM sandbox to read sensitive host-process state - including HTTP Authorization headers, session tokens, and AsyncLocalStorage request context - by requiring process-wide observability builtins that were incorrectly absent from the DANGEROUS_BUILTINS denylist. The affected modules (diagnostics_channel, async_hooks, perf_hooks) are Node.js process-wide singletons, not sandbox-local constructs, so granting sandbox access to them exposes all host process data flowing through those channels. A publicly available exploit code exists confirming extraction of Bearer tokens and x-session-token headers from live host HTTP requests; this is not confirmed actively exploited (not in CISA KEV).
Algernon's auto-refresh SSE event server unintentionally exposes developer file-change streams to unauthenticated LAN peers on Linux and macOS due to a platform-dependent bind address default that was never intended to reach adjacent hosts. On non-Windows platforms, the SSE listener resolves to 0.0.0.0:5553 (all interfaces), while Windows correctly binds to 127.0.0.1:5553 - a silent asymmetry introduced in engine/flags.go that leaves developers on the most common Algernon platforms exposed whenever they work on shared networks. A publicly available proof-of-concept demonstrates that any host on the same subnet can enumerate project filenames and edit timing with a single unauthenticated curl command, with no developer interaction required; no public exploit identified at time of analysis rises to confirmed active exploitation (not in CISA KEV).
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.