Arbitrary Code Execution in vm2 Sandbox for Node.js by Patrik Simek
CVE-2026-26332

9.8CRITICAL

Key Information:

Vendor: Patriksimek
Status: Vm2
Vendor: CVE Published:; 4 May 2026

🔔 Create Patriksimek Vulnerability Alert

What is CVE-2026-26332?

The vm2 library, a widely-used open-source virtualization and sandboxing solution for Node.js, was found to have a serious security flaw prior to version 3.11.0. This vulnerability, identified as SuppressedError, allowed malicious actors to escape the protective confines of the sandbox, resulting in the potential for arbitrary code execution on the host system. This issue posed significant risks for applications relying on vm2 for safe execution of untrusted code. The vulnerability has been effectively addressed in version 3.11.0, which users are strongly encouraged to upgrade to.

Affected Version(s)

vm2 < 3.11.0

References

https://github.com/patriksimek/vm2/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/patriksimek/vm2/releases/tag/v3.11.0

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Feb 13, 2026

CVE-2026-26332 Data

JSON