What does this release signal mean?

Cohere published cohere-ai/cohere-terrarium v1.0.1 (cohere-ai/cohere-terrarium). This release signal is evidence of what shipped, changed, or was packaged for users. High-signal details: Minor version update of existing model · v1.0.1 — Fix CVE-2026-5752 Repository: cohere-ai/cohere-terrarium Tag: v1.0.1 Published: 2026-04-22T15:34:06Z Prerelease: no Release notes: Changelog 1.0.1 — 2026-04-22.... onlylabs links this event to 1 captured evidence page and 6 related release signals.

Cohere Release: cohere-ai/cohere-terrarium v1.0.1

Captured source

source ↗

GitHub/github.com/cohere-ai/cohere-terrarium

cohere-ai/cohere-terrarium v1.0.1

Source ↗

published Apr 22, 2026seen 5dcaptured 8hhttp 200method plain

v1.0.1 — Fix CVE-2026-5752

Repository: cohere-ai/cohere-terrarium

Tag: v1.0.1

Published: 2026-04-22T15:34:06Z

Prerelease: no

Release notes:

Changelog

1.0.1 — 2026-04-22

Security

Fix CVE-2026-5752 (CVSS 9.3, critical): sandbox escape via JavaScript

prototype chain traversal in src/services/python-interpreter/service.ts. Mock document / ImageData / DOM stub objects exposed to Pyodide via jsglobals were plain object literals that inherited from Object.prototype, allowing sandboxed Python to walk .constructor.constructor to the host Function constructor, obtain host globalThis, and reach require for arbitrary code execution as root. Every exposed object is now built with Object.create(null); read-only mocks are additionally frozen.

Add regression test

tests/security/cve_2026_5752_proto_escape.py.

Notes

This project remains unmaintained beyond this security release. Users are encouraged to migrate to a maintained sandbox.

Notability

notability 4.0/10

Minor version update of existing model