Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the BaseHandler.set trap in lib/bridge.js. An...

CVE-2026-44006

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0...

CVE-2026-44006 vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0...

PT-2026-38397

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0 Description A sandbox escape allows unauthenticated attackers to execute arbitrary system commands RCE on the host. The issue occurs because BaseHandler.getPrototypeOf can be reached via util.inspect, enabling the...

CVE-2026-5261 Shandong Hoteam InforCenter PLM BaseHandler.ashx uploadFileToIIS unrestricted upload

A vulnerability was identified in Shandong Hoteam InforCenter PLM up to 8.3.8. The impacted element is the function uploadFileToIIS of the file /Base/BaseHandler.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit i...

CVE-2026-5261

Affected product: Shandong Hoteam InforCenter PLM up to version 8.3.8. Vulnerable component: the function uploadFileToIIS in /Base/BaseHandler.ashx. Root cause: manipulation of the File argument enables unrestricted upload, enabling remote exploitation. Public exploit exists. No remediation detai...