vm2: Sandbox Escape

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

Affected Products

Vendor	Product	Versions
vm2	vm2	< 3.11.0, 3.10.x

References

https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95(x_refsource_CONFIRM)
https://github.com/patriksimek/vm2/releases/tag/v3.11.0(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB7h ago

CVE-2026-26332 | patriksimek vm2 up to 3.10.x code injection (GHSA-55hx-c926-fr95)

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

CWECWE-94, CWE-693

PublishedMay 4, 2026

Last enriched6h agov2

Trending Score52

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 6h ago

v2Tier C6h ago

Updated affected versions to include 3.10.x and clarified that no exploit is available.

affectedVersions

via VulDB

v111h ago

Initial creation

vm2: Sandbox Escape

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (2)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History