Lucene search
K

4 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:22 p.m.9 views

CVE-2026-43999

A flaw was found in vm2 before 3.11.0. When the module builtin is allowed including via wildcard, sandboxed code can call Module.load in the host context, bypassing the builtin allowlist and loading excluded modules such as childprocess for remote code execution. Fixed in 3.11.0...

9.9CVSS6.4AI score0.00974EPSS
Exploits1References4
OSV
OSV
added 2026/06/04 9:5 p.m.18 views

ROOT-APP-NPM-CVE-2026-43999 CVE-2026-43999 in @rootio/vm2 - Patched by Root

Root has patched CVE-2026-43999 in the @rootio/vm2 package for Root:npm. Multiple fixed versions available...

9.9CVSS6AI score0.00974EPSS
Exploits1
Cvelist
Cvelist
added 2026/05/13 5:21 p.m.37 views

CVE-2026-43999 vm2: NodeVM builtin allowlist bypass via `module` builtin's `Module._load` allows sandbox escape

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed including via the '' wildcard. The module builtin exposes Node's Module.load, which loads any module by name directly in the host context, completely...

9.9CVSS0.00974EPSS
Exploits1References1
CVE
CVE
added 2026/05/13 5:21 p.m.23 views

CVE-2026-43999

CVE-2026-43999 affects vm2’s NodeVM when the builtins allowlist is configured with a wildcard that includes the module builtin. Prior to version 3.11.0, the module builtin can bypass vm2’s allowlist via Module._load, because vm2 exposes the host’s Module object through a readonly proxy that still...

9.9CVSS6.3AI score0.00974EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder