CVE-2026-44006

A flaw was found in vm2 before 3.11.0. Sandboxed code can reach BaseHandler.getPrototypeOf to obtain arbitrary prototypes, enabling sandbox escape and arbitrary code execution. Fixed in 3.11.0...

ROOT-APP-NPM-CVE-2026-44006 CVE-2026-44006 in @rootio/vm2 - Patched by Root

Root has patched CVE-2026-44006 in the @rootio/vm2 package for Root:npm. Multiple fixed versions available...

CVE-2026-44006

vm2 (Node.js sandbox) contains a code execution risk via a vulnerability in BaseHandler.getPrototypeOf that can enable sandbox escape and remote code execution. The CVE-2026-44006 flaw affects versions up to 3.10.x and is fixed in 3.11.0. Exploitation relies on reaching BaseHandler.getPrototypeOf...

CVE-2026-44006 vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0...

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-44006 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

CVE-2026-44006

creationtimestamp| type| source ---|---|--- 2026-05-01 20:40:54+00:00| published-proof-of-concept| https://github.com/patriksimek/vm2/security/advisories/GHSA-qcp4-v2jj-fjx8 2026-05-13 21:49:21+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mlrbtta76z2i 2026-05-18 14:18:11+00:00|...