CVE-2026-26956 | THREATINT

Description

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.

PUBLISHED Reserved 2026-02-16 | Published 2026-05-04 | Updated 2026-05-05 | Assigner GitHub_M

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-693: Protection Mechanism Failure

Product status

= 3.10.4

affected

References

github.com/...ek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66 exploit

github.com/...ek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66

github.com/patriksimek/vm2/releases/tag/v3.10.5

cve.org (CVE-2026-26956)

nvd.nist.gov (CVE-2026-26956)

Download JSON