CVE-2026-26956

critical

Description

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.

References

https://thehackernews.com/2026/05/vm2-nodejs-library-vulnerabilities.html

https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26956.json

https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66

https://github.com/patriksimek/vm2/releases/tag/v3.10.5

https://bugzilla.redhat.com/show_bug.cgi?id=2466548

https://access.redhat.com/security/cve/CVE-2026-26956

Details

Source: Mitre, NVD

Published: 2026-05-04

Updated: 2026-06-30

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00092