Sandbox Breakout Vulnerability in VM2 for Node.js
CVE-2026-47208

10CRITICAL

Key Information:

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47208?

VM2 is an open-source virtual machine and sandbox for Node.js, which allows for running untrusted code securely. However, prior to version 3.11.4, it was vulnerable to a sandbox breakout that could enable attackers to escape the isolated environment of VM2 and execute arbitrary commands on the host system. This significant flaw can compromise system integrity and security, highlighting the importance of updating to the patched version 3.11.4 where this vulnerability has been addressed.

Affected Version(s)

vm2 < 3.11.4

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.