CVE-2026-4692
Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9,
CVSS
10.0
Critical
EPSS
0.5%
p39
KEV
—
Exploit Today
12
0-100
Published: Mar 24, 2026 · Last modified: Jul 15, 2026 · CWE-653
0.5%EPSS · 30 days0.5%
2026-06-302026-07-17
Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
- bugzilla.mozilla.orghttps://bugzilla.mozilla.org/show_bug.cgi?id=2017643
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-20/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-21/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-22/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-23/
- www.mozilla.orghttps://www.mozilla.org/security/advisories/mfsa2026-24/
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:5930
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:5931
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:5932
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6188
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6342
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:6917
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7837
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7838
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7839
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7840
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7841
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7842
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7843
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:7845
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-247819.8 CRI64.3%
——19vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.3dCVE-2026-4399710.0 CRI58.1%
——17vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.3dCVE-2026-269569.8 CRI56.3%
——17vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.3dCVE-2026-4400510.0 CRI53.8%
——16vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox This vulnerability is fixed in 3.11.0.3dCVE-2026-440099.8 CRI52.9%
——16vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.3dCVE-2026-263329.8 CRI49.4%
——15vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.3d