Hackers are writing new code everyday and finding new ways to exploit the system, there have definitely been successful attempts in bypassing sandboxes and VMs although with those methods, patches are often uploaded by the sandbox and VM providers immediately.
But you never know if they've found a new way to exploit them until the malware lands in the hands of researchers or AV vendors. So tread carefully if you want to test malware, but if you are just browsing the web with a VM I doubt you'll be that unlucky to run into a malware that would be able to escape the sandbox or VM.