CVE Catalog
CVE-2026-26332
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk0.71%
49th percentile — higher than 49% of all known CVEs
Summary
A vulnerability in the vm2 library for Node.js allows attackers to escape the sandbox and execute arbitrary code via the SuppressedError mechanism. The issue is fixed in version 3.11.0.
Risk Assessment
An attacker can gain full control over the Node.js application, leading to compromise of system integrity, confidentiality, and availability.
Recommendation
Immediately update the vm2 library to version 3.11.0 or later.
Original NVD description (English source)
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

