CVE Catalog

CVE-2026-26332

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.71%

49th percentile — higher than 49% of all known CVEs

Summary

A vulnerability in the vm2 library for Node.js allows attackers to escape the sandbox and execute arbitrary code via the SuppressedError mechanism. The issue is fixed in version 3.11.0.

Risk Assessment

An attacker can gain full control over the Node.js application, leading to compromise of system integrity, confidentiality, and availability.

Recommendation

Immediately update the vm2 library to version 3.11.0 or later.

Original NVD description (English source)

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS