top of page
perceptive_background_267k.jpg

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM…

Published:

3 May 2026 at 22:00:00

Alert date:

4 May 2026 at 18:09:25

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Supply Chain & Dependencies

CVE-2026-26956 affects vm2, an open source virtual machine/sandbox for Node.js. Version 3.10.4 contains a critical vulnerability allowing full sandbox escape with arbitrary code execution. Attackers can exploit code inside VM.run() to obtain the host process object and execute host commands without any host cooperation. This represents a complete compromise of the sandbox security model. The vulnerability has been addressed in version 3.10.5, and users should upgrade immediately to mitigate the risk.

Technical details

Mitigation steps:

Affected products:

vm2
Node.js

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-26956
https://github.com/patriksimek/vm2/releases/tag/v3.10.5
https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page