Improper Isolation or Compartmentalization

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the NodeVM constructor in lib/nodevm.js. An attacker can run host commands when the VM is set up...

GHSA-CP6G-6699-WX9C vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape

Summary NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve which does not dereference symlinks but module loading uses Node's...

NPM: vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape

NPM: vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape vulnerability discovered by ? in WordPress Npm vm2 versions 3.10.5...

CVE-2026-41270

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery SSRF protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTPDENYLIST for axios and...

OneUptime has Synthetic Monitor RCE via exposed Playwright browser object

Summary OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page...

Exposed Dangerous Method or Function

Overview @oneuptime/common is a The OneUptime Common UI Library is a collection of shared components, utilities that are used across the OneUptime platform. It is designed to be easy to install and use, and to be extensible. This library is built with React and TypeScript. It includes c Affected...

PT-2026-24190

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.21 Description OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic...

CVE-2026-30921

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside...

OneUptime 代码注入漏洞

OneUptime is a comprehensive open-source solution developed by OneUptime. It is used to monitor and manage your online services. Versions of OneUptime 9.5.13 and earlier contain a code injection vulnerability. This vulnerability stems from the use of the unsafe node:vm module in the custom...

Remote Code Execution (RCE)

Happy DOM is vulnerable to Remote Code Execution RCE. The vulnerability is due to the use of a non-isolated Node.js VM context with JavaScript evaluation enabled by default, which allows an attacker to run untrusted code that can escape the sandbox—potentially gaining access to process-level...