CVE 9.8 CRITICAL

vm2: Sandbox Escape_CVE-2026-26332

May 4, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

AI Analysis

Sandbox escape vulnerability in vm2 prior to version 3.11.0, allowing attackers to run arbitrary code.

Basic Information

ID CVE-2026-26332

Source GitHub_M

Published May 4, 2026 at 16:35

Affected Product

Vendor patriksimek

Product vm2

Version < 3.11.0

Affected Versions patriksimek vm2 < 3.11.0

CWE Classification

CWE-94 CWE-693

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor patriksimek

Product vm2

Version < 3.11.0

References

{
    "lastseen": "",
    "description": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.",
    "published": "2026-05-04T16:35:52.706Z",
    "modified": "2026-05-04T16:35:52.706Z",
    "type": "cve",
    "title": "vm2: Sandbox Escape",
    "source": "GitHub_M",
    "references": "https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95\nhttps://github.com/patriksimek/vm2/releases/tag/v3.11.0",
    "id": "CVE-2026-26332",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94",
        "CWE-693"
    ],
    "cvelist": null,
    "sourceData": "patriksimek vm2 < 3.11.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vm2",
    "version": "< 3.11.0",
    "vendor": "patriksimek",
    "ai_description": "Sandbox escape vulnerability in vm2 prior to version 3.11.0, allowing attackers to run arbitrary code.",
    "ai_severity": "Critical",
    "ai_vendor": "patriksimek",
    "ai_product": "vm2",
    "ai_version": "< 3.11.0",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply