Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-26332

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

View on NVD

Analysis

vm2 is a widely used Node.js library for executing untrusted code in a sandbox environment. This vulnerability allows a complete sandbox escape to achieve arbitrary code execution on the host, which is the most critical failure mode for this specific tool.

Severity

Score: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-94CWE-693

EPSS

Probability of exploitation (next 30 days): 0.0006 (0.1%)
Percentile: 18.9%
EPSS: 2026-05-06

Affects

vm2_project:vm2

Technical description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

Published: 5/4/2026, 5:16:22 PM
Last modified: 5/6/2026, 12:24:36 PM

References

HomeEventsBlogResourcesTeam