CVE 9.8 CRITICAL

vm2: WASM Sandbox Escape (Node 25 only)_CVE-2026-26956

May 4, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.

AI Analysis

Sandbox escape vulnerability in vm2 allowing arbitrary code execution

Basic Information

ID CVE-2026-26956

Source GitHub_M

Published May 4, 2026 at 16:37

Affected Product

Vendor patriksimek

Product vm2

Version = 3.10.4

Affected Versions patriksimek vm2 = 3.10.4

CWE Classification

CWE-693

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor patriksimek

Product vm2

Version 3.10.4

References

{
    "lastseen": "",
    "description": "vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.",
    "published": "2026-05-04T16:37:31.538Z",
    "modified": "2026-05-04T16:37:31.538Z",
    "type": "cve",
    "title": "vm2: WASM Sandbox Escape (Node 25 only)",
    "source": "GitHub_M",
    "references": "https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66\nhttps://github.com/patriksimek/vm2/releases/tag/v3.10.5",
    "id": "CVE-2026-26956",
    "bulletinFamily": "",
    "cwe": [
        "CWE-693"
    ],
    "cvelist": null,
    "sourceData": "patriksimek vm2 = 3.10.4",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vm2",
    "version": "= 3.10.4",
    "vendor": "patriksimek",
    "ai_description": "Sandbox escape vulnerability in vm2 allowing arbitrary code execution",
    "ai_severity": "Critical",
    "ai_vendor": "patriksimek",
    "ai_product": "vm2",
    "ai_version": "3.10.4",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply