Arbitrary Code Injection

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection via the SuppressedError. An attacker can execute arbitrary code outside the intended sandbox environment by leveraging this...

CVE-2026-26332

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0...

CVE-2026-26332

vm2 (Node.js sandbox) contains a sandbox-escape vulnerability: prior to 3.11.0, SuppressedError can allow code execution outside the sandbox. The issue is fixed in version 3.11.0. Affected software: vm2; impact described as arbitrary code execution with sandbox escape. No exploitation details are...

vm2 代码注入漏洞

vm2 is a high-level virtual machine/sandbox developed by Czech developer Patrik Simek. It runs untrusted code using Node’s built-in modules listed in the allowlist. Versions of vm2 prior to 3.11.0 had a code injection vulnerability; this vulnerability stemmed from the SuppressedError feature, whi...

PT-2026-36851

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0 Description vm2 is an open source vm/sandbox for Node.js. The use of SuppressedError allows attackers to escape the sandbox and execute arbitrary code. Recommendations Update to version 3.11.0...