CWE-653— Improper Isolation or Compartmentalization
The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.— MITRE CWE catalog
66 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-653page 2 of 2
- CVE-2026-26956CRITICALCVSS 9.8EG 9.82026-05-04
vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooper…
- CVE-2026-34775MEDIUMCVSS 6.8EG 6.82026-04-04
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0, the nodeIntegrationInWorker webPreference was not correctly scoped in all configu…
- CVE-2026-40968MEDIUMCVSS 4.2EG 4.22026-04-28
When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subseque…
- CVE-2026-41155MEDIUMCVSS 5.5EG 5.52026-06-12
An attacker could cooperatively pass data from one secure GPU process to another secure GPU process through shared secure memory allocations in the kernel module. Additionally, an attacker could disrupt the operation of another secure GPU …
- CVE-2026-41174MEDIUMCVSS 6.4EG 6.42026-04-30
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a potential vulnerability in Traefik's Kubernetes CRD provider cross-namespace isolation enforcement. When providers.kubernetes…
- CVE-2026-42782HIGHCVSS 7.2EG 7.22026-05-25
Improper Isolation or Compartmentalization vulnerability in Apache Syncope. An administrator with adequate entitlements for Implementations can create a malicious Groovy class containing untrusted code reaching a non-sandboxed execution …
- CVE-2026-4282HIGHCVSS 7.4EG 7.42026-04-02
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can…
- CVE-2026-4325MEDIUMCVSS 5.3EG 5.32026-04-02
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of co…
- CVE-2026-43997CRITICALCVSS 10.0EG 10.02026-05-13
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to o…
- CVE-2026-44005CRITICALCVSS 10.0EG 10.02026-05-13
vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and …
- CVE-2026-44009CRITICALCVSS 9.8EG 9.82026-05-13
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.
- CVE-2026-4692CRITICALCVSS 10.0EG 10.02026-03-24
Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
- CVE-2026-5599HIGHCVSS 7.3EG 7.32026-04-05
A user with API access and "manage users" permission in any venueless world is able to trigger deletion of user accounts in other worlds.
- CVE-2026-5600MEDIUMCVSS 4.3EG 4.32026-04-08
A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information…
- CVE-2026-8401CRITICALCVSS 9.8EG 9.82026-05-12
Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.
- CVE-2026-8945HIGHCVSS 7.5EG 7.52026-05-19
Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151.
Map vulnerabilities like CWE-653 to your infrastructure
EchelonGraph correlates every CVE — across CWE-653 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →