CVE 10 CRITICAL

vm2: Sandbox Breakout Using Promise Species_CVE-2026-47208

June 12, 2026 invoker category_cve

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4.

AI Analysis

Sandbox breakout vulnerability allowing attackers to execute arbitrary commands on the host system

Basic Information

ID CVE-2026-47208

Source GitHub_M

Published Jun 12, 2026 at 14:16

Modified Jun 12, 2026 at 15:08

Affected Product

Vendor patriksimek

Product vm2

Version < 3.11.4

Affected Versions patriksimek vm2 < 3.11.4

CWE Classification

CWE-913

AI Assessment

AI Score 10 / 10

AI Severity Critical

Vendor patriksimek

Product vm2

Version < 3.11.4

References

{
    "lastseen": "",
    "description": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4.",
    "published": "2026-06-12T14:16:22.726Z",
    "modified": "2026-06-12T15:08:40.162Z",
    "type": "cve",
    "title": "vm2: Sandbox Breakout Using Promise Species",
    "source": "GitHub_M",
    "references": "https://github.com/patriksimek/vm2/security/advisories/GHSA-76w7-j9cq-rx2j\nhttps://github.com/patriksimek/vm2/commit/a462655009669c3124ee39498121651597529ea8\nhttps://github.com/patriksimek/vm2/releases/tag/v3.11.4",
    "id": "CVE-2026-47208",
    "bulletinFamily": "",
    "cwe": [
        "CWE-913"
    ],
    "cvelist": null,
    "sourceData": "patriksimek vm2 < 3.11.4",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vm2",
    "version": "< 3.11.4",
    "vendor": "patriksimek",
    "ai_description": "Sandbox breakout vulnerability allowing attackers to execute arbitrary commands on the host system",
    "ai_severity": "Critical",
    "ai_vendor": "patriksimek",
    "ai_product": "vm2",
    "ai_version": "< 3.11.4",
    "ai_score": 10
}

💭 Join the Security Discussion ❌ Cancel Reply