CVE-2026-47208
CriticalCVSS 10.0Exploitation Probability (EPSS)
Elevated risk65th percentile — higher than 65% of all known CVEs
Summary
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, vm2 suffers from a sandbox breakout vulnerability, allowing attackers to execute arbitrary commands on the host system.
Risk Assessment
This vulnerability poses a serious risk to organizations by enabling attackers to gain control over the host system.
Recommendation
It is recommended to upgrade to version 3.11.4 or later to mitigate this vulnerability.
Original NVD description (English source)
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4.

