Arbitrary Code Execution Vulnerability in vm2 by Patrik Simek
CVE-2026-26956

9.8CRITICAL

Key Information:

Vendor: Patriksimek
Status: Vm2
Vendor: CVE Published:; 4 May 2026

🔔 Create Patriksimek Vulnerability Alert

What is CVE-2026-26956?

The vm2 library, utilized for creating secure Node.js environments through sandboxing, was found to be vulnerable in version 3.10.4. This flaw allows attackers to execute arbitrary code outside the intended security boundaries, effectively achieving a full sandbox escape. With the use of the VM.run() method, malicious actors can access the host process object and execute host commands without any user interactions. This significant security issue exposes Node.js applications to potential exploitation, making it crucial for developers to update to the patched version 3.10.5 to mitigate these risks.

Affected Version(s)

vm2 = 3.10.4

References

https://github.com/patriksimek/vm2/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/patriksimek/vm2/releases/tag/v3.10.5

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Feb 16, 2026

CVE-2026-26956 Data

JSON