Description
Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal.
Published: 2026-04-14
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Root privilege escalation via sandbox escape in Cohere Terrarium
Action: Apply patch
AI Analysis

Impact

Cohere Terrarium contains a sandbox escape flaw that allows an attacker to execute arbitrary code with root privileges on the host system by traversing the JavaScript prototype chain. This vulnerability bypasses the intended isolation boundaries of the Terrarium environment, enabling complete takeover of the underlying host and allowing the attacker to read, modify, or delete any data and to install additional malicious software. The impact is severe, affecting confidentiality, integrity, and availability at the system level.

Affected Systems

The affected product is Cohere Terrarium. No specific version numbers were disclosed in the advisory, so any deployment of the component that is currently running is potentially vulnerable until a patch or definitive fix is applied. Administrators should review all instances of Cohere Terrarium in their environment to gauge exposure.

Risk and Exploitability

The CVSS score of 9.3 categorizes this flaw as critical. The EPSS score is not available, and the vulnerability is not yet catalogued in the CISA KEV list. The attack vector is inferred to be remote, as malicious JavaScript can be injected within the sandboxed environment, and the necessary conditions include a permissive JavaScript execution context that allows prototype modifications and host resource access. Organizations running Terrarium with untrusted or permissive scripting should consider this vulnerability the highest risk exposure.

Generated by OpenCVE AI on April 14, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether an updated release of Cohere Terrarium is available that addresses this issue and apply it as soon as it is released.
  • Until a fix is found, run Terrarium with the least privileges possible, isolating it from the host filesystem and disabling any API that permits prototype chain modifications or access to system resources.
  • Continuously monitor vendor advisories, public security bulletins, and the repository’s release notes for notices of a patch or temporary mitigation, and update the deployment immediately when one is announced.

Generated by OpenCVE AI on April 14, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Cohere
Cohere cohere-terrarium
Vendors & Products Cohere
Cohere cohere-terrarium

Wed, 15 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-94

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal.
Title CVE-2026-5752
References

Subscriptions

Cohere Cohere-terrarium
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-04-23T12:19:54.254Z

Reserved: 2026-04-07T16:13:06.702Z

Link: CVE-2026-5752

cve-icon Vulnrichment

Updated: 2026-04-21T14:34:54.223Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-14T18:17:39.360

Modified: 2026-04-21T15:16:37.563

Link: CVE-2026-5752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T14:53:58Z

Weaknesses