CVE-2026-24781
CriticalCVSS 9.8Exploitation Probability (EPSS)
Elevated risk63th percentile — higher than 63% of all known CVEs
Summary
A vulnerability in the vm2 library for Node.js allows sandbox escape via the inspect function. Attackers can execute arbitrary commands on the host system.
Risk Assessment
The organization risks full system compromise if an attacker exploits this vulnerability in an application using vm2.
Recommendation
Immediately update the vm2 library to version 3.11.0 or later.
Original NVD description (English source)
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

