CVE Catalog

CVE-2026-26956

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.92%

56th percentile — higher than 56% of all known CVEs

Summary

vm2 version 3.10.4 contains a vulnerability allowing full sandbox escape and arbitrary code execution on the host. An attacker can obtain the host process object and run commands without any host cooperation.

Risk Assessment

The risk for the organization is critical – an attacker can take over the Node.js server, execute arbitrary system commands, access data and resources, leading to full environment compromise.

Recommendation

Immediately update the vm2 library to version 3.10.5 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS