ThreatScope by DIAMATIX
Critical Vulnerabilities Actively Exploited (23 February – 01 March 2026)
During the period 23 February – 01 March 2026, the dominant risk pattern centered around authentication bypass, sandbox escape, command injection, and supply-chain workflow abuse.
This week reinforced a structural reality.
When authentication mechanisms fail at the network layer, when browser sandboxes collapse, and when CI/CD pipelines execute untrusted code with elevated privileges, compromise scales rapidly beyond a single system.
Below, vulnerabilities are grouped by operational impact.
Summary Overview
| Affected Area | Vulnerability Type | Potential Impact |
|---|---|---|
| SD-WAN Infrastructure | Authentication bypass | Network-wide configuration manipulation |
| Browser Ecosystem | Sandbox escape | Remote code execution via client layer |
| Network Devices | OS command injection | Remote device takeover |
| JavaScript Sandboxes | Boundary escape | AI agent RCE |
| Automation & Validation | Validation bypass | Unauthorized execution paths |
| AI Engineering Platforms | CI/CD workflow RCE | Secret exposure & repository compromise |
| Monitoring Platforms | OS command injection | Infrastructure control |
1. SD-WAN Infrastructure. Authentication Bypass
Observed vulnerability:
Cisco Catalyst SD-WAN Controller / Manager – CVE-2026-20127 (CVSS 10.0)
A flaw in peering authentication allows unauthenticated remote attackers to obtain administrative privileges and manipulate SD-WAN fabric configuration.
Why this matters:
SD-WAN controllers operate at the core of enterprise connectivity.
Authentication bypass at this layer does not compromise a device — it compromises the network control plane.
2. Browser Ecosystem. Sandbox Escape
Observed vulnerabilities:
CVE-2026-2760
CVE-2026-2761
CVE-2026-2768
CVE-2026-2776
CVE-2026-2778
(All CVSS 10.0)
Multiple sandbox escape vulnerabilities were identified across Firefox and Thunderbird components, including WebRender, IndexedDB, Telemetry, and DOM layers.
Why this matters:
Browser sandboxes are designed to isolate untrusted content.
When boundary conditions fail, remote content can escape containment and execute beyond intended restrictions.
Client-side compromise remains one of the fastest lateral entry points into enterprise environments.
3. Network Devices. OS Command Injection
Observed vulnerability:
Totolink N300RH – CVE-2026-3301 (CVSS 10.0)
Manipulation of input parameters in the web management interface enables remote OS command execution.
Why this matters:
Command injection at the network device layer allows attackers to:
Establish persistence
Modify traffic flows
Pivot internally
Edge devices remain frequently exposed and under-monitored.
4. JavaScript Sandboxes. Boundary Escape
Observed vulnerability:
Enclave JavaScript Sandbox – CVE-2026-27597 (CVSS 10.0)
A boundary escape flaw in @enclave-vm/core allows attackers to bypass sandbox restrictions and achieve remote code execution.
Why this matters:
Secure execution environments for AI agents are designed to contain risk.
When sandbox enforcement fails, AI execution layers become direct RCE vectors.
5. Automation & Validation Layers. Execution Bypass
Observed vulnerability:
OpenClaw Validation Bypass – CVE-2026-28363 (CVSS 9.9)
GNU long-option abbreviations allowed bypass of execution approval mechanisms, enabling unintended execution paths.
Why this matters:
Validation logic often represents the final safety barrier before execution.
If allowlists can be bypassed, the control model collapses silently.
6. AI Engineering & CI/CD Pipelines. Workflow RCE
Observed vulnerability:
OpenLIT – CVE-2026-27941 (CVSS 10.0)
GitHub Actions workflows executed untrusted code from forked pull requests using pull_request_target, exposing write-privileged tokens and sensitive secrets.
Why this matters:
CI/CD workflows increasingly operate with privileged tokens and cloud credentials.
When untrusted code executes in that context, repository compromise and secret exfiltration become immediate risks.
7. Monitoring Platforms. OS Command Injection
Observed vulnerability:
OneUptime – CVE-2026-27728 (CVSS 9.9)
Authenticated users could inject shell metacharacters to execute arbitrary OS commands on monitoring probes.
Why this matters:
Monitoring infrastructure often has visibility across environments.
Command injection at this layer provides attackers with both execution and reconnaissance capability.
Key Observations
Network control-plane systems remain high-impact targets
Browser sandbox escapes continue to appear in mature ecosystems
Command injection remains operationally reliable
AI execution sandboxes are emerging risk zones
CI/CD workflows increasingly represent privileged attack paths
Validation and allowlist bypasses undermine trust models silently
This week’s ThreatScope highlights a systemic theme.
Trust boundaries in networking, browser isolation, automation validation, and AI execution layers are being tested repeatedly.
When authentication fails and sandboxing collapses, compromise expands rapidly across control layers.
ThreatScope by DIAMATIX examines not only vulnerability severity, but where execution intersects with operational control.
Trusted · Innovative · Vigilant
