vm2 maintainers disclosed a fresh batch of a dozen sandbox-escape vulnerabilities yesterday, including CVE-2026-43997, CVE-2026-44005, and CVE-2026-44006 - all CVSS 10.0. The library is used by 1.3 million weekly downloads worth of Node.js projects to run untrusted JavaScript inside a supposedly safe sandbox - online code runners, chatbots, automation tools, and SaaS platforms with user scripts. Each bug breaks the sandbox in a different way: prototype pollution, sandbox escape via inspect functions, allowlist bypass to reach child_process. vm2 was deprecated in 2023 over similar issues, then resurrected last October. Over 20 documented sandbox-escape bugs - the maintainer himself recommends Docker isolation instead.
A critical sandbox-escape flaw in Cohere AI's open-source Terrarium project lets code running inside the sandbox break out and execute arbitrary commands as root on the host Node.js process. Terrarium is a Python sandbox built on Pyodide (a browser- and Node.js-compatible Python distribution running in WebAssembly) and deployed as a Docker container to safely run untrusted code submitted by users or generated by a large language model. That exact use case makes the blast radius real: any AI product using Terrarium to evaluate LLM-generated Python code is giving its models a direct path to root on the container and, from there, potentially on the host. The flaw (CVE-2026-5752, CVSS 9.3) stems from JavaScript prototype chain traversal in the Pyodide WebAssembly environment: sandboxed code can reach parent and global object prototypes to manipulate objects in the host, a technique SentinelOne describes as prototype pollution bypassing the intended security boundaries. Exploitation needs local access to the sandbox but no special privileges or user interaction. The project has been starred 312 times and forked 56 times. Because Cohere is no longer actively maintaining Terrarium, the flaw is unlikely to ever be patched. Security researcher Jeremy Brown reported the issue.
CERT Coordination Center disclosed CVE-2026-5752, a CVSS 9.3 sandbox escape in Cohere's open source Terrarium, a Python sandbox that runs on Pyodide (a WebAssembly Python distribution for Node.js) and is used to execute untrusted or LLM-generated code inside a Docker container. The flaw lets code running inside the Pyodide sandbox traverse the JavaScript prototype chain to reach the host Node.js Function constructor, compile arbitrary JavaScript in the host realm, and execute it as root inside the container. From that point attackers can read /etc/passwd and environment variables, reach other services on the container network, and attempt a further container escape. Critically, CERT/CC notes it was unable to coordinate a patch with Cohere, so no fix has shipped. Terrarium has 312 GitHub stars and 56 forks - a moderate audience, but anyone running it is a poster-child target for prompt-injection attacks that instruct the LLM to emit sandbox-breaking code. The underlying prototype-chain traversal pattern is the same technique seen in January's CVE-2026-22686 against the enclave-vm sandbox.
TrustStrike Labs