CVE-2026-44006

A flaw was found in vm2 before 3.11.0. Sandboxed code can reach BaseHandler.getPrototypeOf to obtain arbitrary prototypes, enabling sandbox escape and arbitrary code execution. Fixed in 3.11.0...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the BaseHandler.set trap in lib/bridge.js. An attacker can mutate...

CVE-2026-44006 vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0...

CVE-2026-44006

vm2 (Node.js sandbox) contains a code execution risk via a vulnerability in BaseHandler.getPrototypeOf that can enable sandbox escape and remote code execution. The CVE-2026-44006 flaw affects versions up to 3.10.x and is fixed in 3.11.0. Exploitation relies on reaching BaseHandler.getPrototypeOf...

vm2 代码注入漏洞

vm2 is a high-level virtual machine/sandbox for Node.js developed by Czech developer Patrik Simek. It runs untrusted code using built-in Node modules listed in the allowlist. Versions of vm2 prior to 3.11.0 had a code injection vulnerability, which was due to the access to...

vm2 has a Sandbox Escape Vulnerability

Summary It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes Details https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.jsL655-L658 BaseHandler can be reached via util.inspect same as...

CVE-2026-5261

A vulnerability was identified in Shandong Hoteam InforCenter PLM up to 8.3.8. The impacted element is the function uploadFileToIIS of the file /Base/BaseHandler.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit i...

CVE-2026-5261 Shandong Hoteam InforCenter PLM BaseHandler.ashx uploadFileToIIS unrestricted upload

A vulnerability was identified in Shandong Hoteam InforCenter PLM up to 8.3.8. The impacted element is the function uploadFileToIIS of the file /Base/BaseHandler.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit i...

CVE-2026-5261

A vulnerability was identified in Shandong Hoteam InforCenter PLM up to 8.3.8. The impacted element is the function uploadFileToIIS of the file /Base/BaseHandler.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit i...

PT-2026-29483

A vulnerability was identified in Shandong Hoteam InforCenter PLM up to 8.3.8. The impacted element is the function uploadFileToIIS of the file /Base/BaseHandler.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit i...

Hoteam InforCenter PLM 代码问题漏洞

Hoteam InforCenter PLM is a product lifecycle management platform designed for enterprise R&D and manufacturing processes by Hoteam Corporation. Versions of Hoteam InforCenter PLM 8.3.8 and earlier contained code vulnerabilities. These vulnerabilities stemmed from incorrect handling of parameters...