CVE-2026-26956
CriticalCVSS 9.8Exploitation Probability (EPSS)
Elevated risk56th percentile — higher than 56% of all known CVEs
Summary
vm2 version 3.10.4 contains a vulnerability allowing full sandbox escape and arbitrary code execution on the host. An attacker can obtain the host process object and run commands without any host cooperation.
Risk Assessment
The risk for the organization is critical – an attacker can take over the Node.js server, execute arbitrary system commands, access data and resources, leading to full environment compromise.
Recommendation
Immediately update the vm2 library to version 3.10.5 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.

