Skip to content
CVSS 9.8 · CRITICAL

CVE-2026-26332

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

Ver en NVD

Análisis

vm2 is a widely used Node.js library for executing untrusted code in a sandbox environment. This vulnerability allows a complete sandbox escape to achieve arbitrary code execution on the host, which is the most critical failure mode for this specific tool.

Severidad

Puntaje: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-94CWE-693

EPSS

Probabilidad de explotación (próx. 30 días): 0.0006 (0.1%)
Percentil: 18.9%
EPSS: 2026-05-06

Afecta

vm2_project:vm2

Descripción técnica

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

Publicada: 4/5/2026, 17:16:22
Última modificación: 6/5/2026, 12:24:36

Referencias

InicioEventosBlogRecursosEquipo