Arbitrary Code Execution Vulnerability in vm2 by Patrik Simek
CVE-2026-26956

9.8CRITICAL

Key Information:

Vendor

Patriksimek

Status
Vm2
Vendor
CVE Published:
4 May 2026

Badges

๐Ÿ‘พ Exploit Exists๐Ÿ“ฐ News Worthy

What is CVE-2026-26956?

The vm2 library, utilized for creating secure Node.js environments through sandboxing, was found to be vulnerable in version 3.10.4. This flaw allows attackers to execute arbitrary code outside the intended security boundaries, effectively achieving a full sandbox escape. With the use of the VM.run() method, malicious actors can access the host process object and execute host commands without any user interactions. This significant security issue exposes Node.js applications to potential exploitation, making it crucial for developers to update to the patched version 3.10.5 to mitigate these risks.

Affected Version(s)

vm2 = 3.10.4

News Articles

favicon imageBleepingComputer

Critical vm2 sandbox bug lets attackers execute code on hosts

A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system.

References

https://github.com/patriksimek/vm2/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/patriksimek/vm2/releases/tag/v3.10.5
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

.