CWE-693: Protection Mechanism Failure — known CVE vulnerabilities
CVEs classified under CWE-693 (Protection Mechanism Failure), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-47140 — CVSS 10.0 (critical): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module…
CVE-2026-34208 — CVSS 10.0 (critical): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example…
CVE-2026-34938 — CVSS 10.0 (critical): PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside…
CVE-2026-2761 — CVSS 10.0 (critical): Sandbox escape in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8…
CVE-2022-32845 — CVSS 10.0 (critical): This issue was addressed with improved checks. This issue is fixed in watchOS 8.7, iOS 15.6 and iPadOS 15.6, macOS Monterey 12.5. An app…
CVE-2026-45102 — CVSS 9.9 (critical): OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation…
CVE-2026-25115 — CVSS 9.9 (critical): n8n is an open source workflow automation platform. Prior to version 2.4.8, a vulnerability in the Python Code node allows authenticated…
CVE-2025-68668 — CVSS 9.9 (critical): n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python…
CVE-2023-25765 — CVSS 9.9 (critical): In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection…
CVE-2021-32835 — CVSS 9.9 (critical): Eclipse Keti is a service that was designed to protect RESTfuls API using Attribute Based Access Control (ABAC). In Keti a sandbox escape…
CVE-2019-10328 — CVSS 9.9 (critical): Jenkins Pipeline Remote Loader Plugin 1.4 and earlier provided a custom whitelist for script security that allowed attackers to invoke…
CVE-2026-8401 — CVSS 9.8 (critical): Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11…
CVE-2026-26956 — CVSS 9.8 (critical): vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution…
CVE-2026-29649 — CVSS 9.8 (critical): NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is…
CVE-2024-55024 — CVSS 9.8 (critical): An authentication bypass vulnerability in the authorization mechanism of Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 allows…
CVE-2025-48626 — CVSS 9.8 (critical): In multiple locations, there is a possible way to launch an application from the background due to a precondition check failure. This could…
CVE-2025-22429 — CVSS 9.8 (critical): In multiple locations, there is a possible way to execute arbitrary code due to a logic error in the code. This could lead to local…
CVE-2025-54143 — CVSS 9.8 (critical): Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the…
CVE-2025-43261 — CVSS 9.8 (critical): A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An…
CVE-2024-34144 — CVSS 9.8 (critical): A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier…
CVE-2023-52378 — CVSS 9.8 (critical): Vulnerability of incorrect service logic in the WindowManagerServices module.Successful exploitation of this vulnerability may cause…
CVE-2022-47544 — CVSS 9.8 (critical): An issue was discovered in Siren Investigate before 12.1.7. Script variable whitelisting is insufficiently sandboxed.
CVE-2020-10887 — CVSS 9.8 (critical): This vulnerability allows a firewall bypass on affected installations of TP-Link Archer A7 Firmware Ver: 190726 AC1750 routers…
CVE-2018-9318 — CVSS 9.8 (critical): The Telematics Control Unit (aka Telematic Communication Box or TCB), when present on BMW vehicles produced in 2012 through 2018, allows a…
CVE-2018-9311 — CVSS 9.8 (critical): The Telematics Control Unit (aka Telematic Communication Box or TCB), when present on BMW vehicles produced in 2012 through 2018, allows a…
CVE-2017-8864 — CVSS 9.8 (critical): Client-side enforcement using JavaScript of server-side security options on the Cohu 3960HD allows an attacker to manipulate options sent…
CVE-2026-14097 — CVSS 9.6 (critical): Inappropriate implementation in WebAppInstalls in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised…
CVE-2026-14037 — CVSS 9.6 (critical): Insufficient policy enforcement in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer…
CVE-2026-14017 — CVSS 9.6 (critical): Inappropriate implementation in Navigation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the…
CVE-2026-13909 — CVSS 9.6 (critical): Insufficient policy enforcement in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the…
CVE-2026-13859 — CVSS 9.6 (critical): Inappropriate implementation in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox…
CVE-2026-12296 — CVSS 9.6 (critical): Sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird…
CVE-2026-12295 — CVSS 9.6 (critical): Sandbox escape in the DOM: Navigation component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37…
CVE-2026-12294 — CVSS 9.6 (critical): Sandbox escape in the DOM: Workers component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37…
CVE-2026-11282 — CVSS 9.6 (critical): Insufficient policy enforcement in Sandbox in Google Chrome on Linux prior to 149.0.7827.53 allowed a remote attacker to potentially…
CVE-2025-43728 — CVSS 9.6 (critical): Dell ThinOS 10, versions prior to 2508_10.0127, contain a Protection Mechanism Failure vulnerability. An unauthenticated attacker with…
CVE-2022-26384 — CVSS 9.6 (critical): If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they…
CVE-2022-22759 — CVSS 9.6 (critical): If a document created a sandboxed iframe without <code>allow-scripts</code>, and subsequently appended an element to the iframe's document…
CVE-2026-44451 — CVSS 9.3 (critical): Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase…
CVE-2026-12316 — CVSS 9.1 (critical): Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152 and Thunderbird 152.
CVE-2026-12315 — CVSS 9.1 (critical): Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and…
CVE-2025-65319 — CVSS 9.1 (critical): When using the attachment interaction functionality, Blue Mail 1.140.103 and below saves documents to a file system without a…
CVE-2025-65318 — CVSS 9.1 (critical): When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a…
CVE-2025-43273 — CVSS 9.1 (critical): A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.8. A…
CVE-2025-6427 — CVSS 9.1 (critical): An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also…