CVE-2026-43997

Description

A code injection vulnerability in the vm2 Node.js library that allows an attacker to obtain the host Object and escape the sandbox, leading to arbitrary code execution. (Affects versions <= 3.10.5, patched in 3.11.0)

References

https://thehackernews.com/2026/05/vm2-nodejs-library-vulnerabilities.html

Details

Source: Mitre, NVD