CVE-2018-18748
CRITICALSandboxie 5.26 - Sandbox Escape via Python File Import
Title source: llmDescription
Sandboxie 5.26 allows a Sandbox Escape via an "import os" statement, followed by os.system("cmd") or os.system("powershell"), within a .py file. NOTE: the vendor disputes this issue because the observed behavior is consistent with the product's intended functionality
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://github.com/sandboxescape/Sandboxie-5.26-Sandbox-Escape-Exploit/
Broken Link, Third Party Advisory x_refsource_misc
https://github.com/sandboxescape/Sandboxie-5.26-Sandbox-Escape-Exploit/blob/2632a5f7409e52b2e020f5d4467fa019f9095e73/README.doc
Scores
CVSS v3
10.0
EPSS
0.0243
EPSS Percentile
82.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
Status
published
Products (1)
sandboxie-plus/sandboxie
5.26
Published
Oct 29, 2018
Tracked Since
Feb 18, 2026