NPM: vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape

NPM: vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape vulnerability discovered by ? in WordPress Npm vm2 versions 3.10.5...

NPM: vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak

NPM: vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.5...

NPM: vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion

NPM: vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.5...

NPM: vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)

NPM: vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection Process Crash DoS vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.5...

NPM: vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape

NPM: vm2 has a NodeVM builtin allowlist bypass via module builtin's Module.load that allows sandbox escape vulnerability discovered by ? in WordPress Npm vm2 versions 3.10.5...

NPM: vm2 has a Sandbox Escape Vulnerability

NPM: vm2 has a Sandbox Escape Vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.5...

EUVD-2026-26995

VM2 Has a WASM Sandbox Escape Node 25 only...

Arbitrary Code Injection

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the vm2.run function. An attacker can execute arbitrary commands on the host system by escaping the sandbox...

CVE-2026-24120

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in versio...

CVE-2026-26956 vm2: WASM Sandbox Escape (Node 25 only)

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5...

CVE-2026-26956

CVE-2026-26956 concerns the vm2 sandbox for Node.js. Affected: vm2 v3.10.4 allows full sandbox escape enabling arbitrary code execution when code runs inside VM.run(); attacker code can access the host process and execute host commands. Patch available in v3.10.5. Impact flags from CVSS indicate ...

CVE-2026-24120

Technical details about CVE-2026-24120 are not publicly available in the provided documents. The affected components, root cause, impact, and fixes are not specified here. Monitor for updates.

CVE-2026-24120

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in versio...

PT-2026-36847

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.10.5 Description An insufficient fix in the sandbox implementation allows attackers to bypass security restrictions, enabling them to escape the VM2 sandbox and execute arbitrary commands on the host system. This is...

PT-2026-36852

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.10.5 Description A critical sandbox escape exists in the vm2 library, which is used to run untrusted JavaScript code in Node.js applications. This issue allows an attacker to break out of the restricted environment and...

CVE-2024-12173

The Master Slider WordPress plugin before 3.10.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-12173 Master Slider < 3.10.5 - Editor+ Stored XSS

The Master Slider WordPress plugin before 3.10.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-27958

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Themeisle Visualizer allows Reflected XSS.This issue affects Visualizer: from n/a through 3.10.5...

PT-2024-28273 · WordPress · Happy Addons For Elementor

Name of the Vulnerable Software and Affected Versions: The Happy Addons for Elementor plugin for WordPress versions up to, and including, 3.10.5 Description: The issue is related to Stored Cross-Site Scripting via HTML tags in widgets due to insufficient input sanitization and output escaping on...

WordPress plugin Happy Addons for Elementor 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...