{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27597", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-20T19:43:14.601Z", "datePublished": "2026-02-25T03:56:25.927Z", "dateUpdated": "2026-02-25T21:13:32.747Z"}, "containers": {"cna": {"title": "@enclave-vm/core is vulnerable to Sandbox Escape", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/agentfront/enclave/security/advisories/GHSA-f229-3862-4942", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/agentfront/enclave/security/advisories/GHSA-f229-3862-4942"}, {"name": "https://github.com/agentfront/enclave/commit/09afbebe4cb6d0586c1145aa71ffabd2103932db", "tags": ["x_refsource_MISC"], "url": "https://github.com/agentfront/enclave/commit/09afbebe4cb6d0586c1145aa71ffabd2103932db"}], "affected": [{"vendor": "agentfront", "product": "enclave", "versions": [{"version": "< 2.11.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T03:56:25.927Z"}, "descriptions": [{"lang": "en", "value": "Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the security boundraries set by `@enclave-vm/core`, which can be used to achieve remote code execution (RCE). The issue has been fixed in version 2.11.1."}], "source": {"advisory": "GHSA-f229-3862-4942", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T21:13:15.333818Z", "id": "CVE-2026-27597", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:13:32.747Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27597", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T21:13:15.333818Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:13:26.446Z"}}], "cna": {"title": "@enclave-vm/core is vulnerable to Sandbox Escape", "source": {"advisory": "GHSA-f229-3862-4942", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "agentfront", "product": "enclave", "versions": [{"status": "affected", "version": "< 2.11.1"}]}], "references": [{"url": "https://github.com/agentfront/enclave/security/advisories/GHSA-f229-3862-4942", "name": "https://github.com/agentfront/enclave/security/advisories/GHSA-f229-3862-4942", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/agentfront/enclave/commit/09afbebe4cb6d0586c1145aa71ffabd2103932db", "name": "https://github.com/agentfront/enclave/commit/09afbebe4cb6d0586c1145aa71ffabd2103932db", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the security boundraries set by `@enclave-vm/core`, which can be used to achieve remote code execution (RCE). The issue has been fixed in version 2.11.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-25T03:56:25.927Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27597", "state": "PUBLISHED", "dateUpdated": "2026-02-25T21:13:32.747Z", "dateReserved": "2026-02-20T19:43:14.601Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-25T03:56:25.927Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:agentfront:enclave:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "77757A08-0B36-4B41-9474-A7AD214D4FB0", "versionEndExcluding": "2.11.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to version 2.11.1, it is possible to escape the security boundraries set by `@enclave-vm/core`, which can be used to achieve remote code execution (RCE). The issue has been fixed in version 2.11.1."}], "id": "CVE-2026-27597", "lastModified": "2026-02-27T18:27:17.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-25T04:16:03.557", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/agentfront/enclave/commit/09afbebe4cb6d0586c1145aa71ffabd2103932db"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/agentfront/enclave/security/advisories/GHSA-f229-3862-4942"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.11.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "enclave", "source": "cna", "vendor": "agentfront"}, "product": "enclave", "vendor": "agentfront"}], "analysis": {"en": {"generated_at": "2026-04-18T10:47:28.543466+00:00", "value": {"mitigation_remediation": ["Upgrade to Enclave version 2.11.1 or later, which contains the patch for @enclave-vm/core.", "If an immediate upgrade is not possible, isolate or remove the vulnerable Enclave instances from exposure to untrusted input and restrict network access for any AI code submissions.", "Monitor system logs and audit events for unexpected JavaScript execution or potential sandbox escape attempts, and apply additional runtime restrictions such as disabling eval or tightly limiting file system access."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Enclave product supplied by agentfront, specifically any instance running a version earlier than 2.11.1 that relies on @enclave-vm/core. Enclave runs on Node.js, and the affected package is listed under agentfront:enclave.", "description_and_impact": "Enclave provides a secure JavaScript sandbox for AI agent code. Before version 2.11.1, a flaw in @enclave-vm/core allows an attacker to escape the security boundaries of the sandbox. This escape can be leveraged to execute arbitrary code in the host environment, leading to full compromise of confidentiality, integrity, and availability. The weakness stems from improper code evaluation, classified as CWE\u201194.", "risk_and_exploitability": "The flaw carries a CVSS score of 10, indicating Exponentially Critical severity. The EPSS score is less than 1%, suggesting a very low current exploitation probability, and it is not listed in the CISA KEV catalog. Nonetheless, the risk is high due to the capability for remote code execution that could be achieved by submitting crafted code to the sandbox, implying a likely remote or network-based attack path with no user interaction required."}}}}, "created": "2026-02-25T11:34:40.790156+00:00", "updated": "2026-04-18T11:00:05.731711+00:00", "vendors": ["agentfront", "agentfront$PRODUCT$enclave"]}