vm2: WASM Sandbox Escape (Node 25 only)

Description

A vulnerability classified as critical was found in patriksimek vm2 3.10.4. The affected element is the function VM.run of the component HOST Command Handler. Such manipulation leads to protection mechanism failure. This vulnerability is traded as CVE-2026-26956. The attack may be launched remotely.

Affected Products

Vendor	Product	Versions
patriksimek	vm2	= 3.10.4

References

https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66(x_refsource_CONFIRM)
https://github.com/patriksimek/vm2/releases/tag/v3.10.5(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB7h ago

CVE-2026-26956 | patriksimek vm2 3.10.4 HOST Command VM.run protection mechanism (GHSA-ffh4-j6h5-pg66)

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

3.10.5

CWECWE-693

PublishedMay 4, 2026

Last enriched6h agov2

Trending Score29

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

Version History

Last enriched 6h ago

v2Tier C6h ago

Updated description with more technical detail, confirmed no exploit available, and specified patch version 3.10.5.

descriptionpatchAvailable

via VulDB

v111h ago

Initial creation

vm2: WASM Sandbox Escape (Node 25 only)

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (1)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History