Prototypal Manipulation Vulnerability in vm2 by Patrik Símek
CVE-2026-44005

10CRITICAL

Key Information:

Vendor: Patriksimek
Status: Vm2
Vendor: CVE Published:; 13 May 2026

🔔 Create Patriksimek Vulnerability Alert

What is CVE-2026-44005?

The vm2 library, a popular sandboxing solution for Node.js, has a vulnerability that allows attacker-controlled JavaScript execution to alter core host object prototypes such as Object.prototype, Array.prototype, and Function.prototype. This occurs due to mutable proxies that vm2 exposes, enabling writes from the sandbox to the underlying host realm. The flaw was present in versions 3.9.6 through 3.10.5, but was addressed in version 3.11.0. Users are advised to upgrade promptly to safeguard against this significant risk.

Affected Version(s)

vm2 >= 3.9.6, < 3.11.0

References

https://github.com/patriksimek/vm2/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 13, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-44005 Data

JSON