CVE-2026-26956

CVE-2026-26956 concerns the vm2 sandbox for Node.js. Affected: vm2 v3.10.4 allows full sandbox escape enabling arbitrary code execution when code runs inside VM.run(); attacker code can access the host process and execute host commands. Patch available in v3.10.5. Impact flags from CVSS indicate ...

CVE-2026-26956 vm2: WASM Sandbox Escape (Node 25 only)

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5...

CVE-2026-26332

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0...

CVE-2026-26332

vm2 (Node.js sandbox) contains a sandbox-escape vulnerability: prior to 3.11.0, SuppressedError can allow code execution outside the sandbox. The issue is fixed in version 3.11.0. Affected software: vm2; impact described as arbitrary code execution with sandbox escape. No exploitation details are...

CVE-2026-26332 vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0...

CVE-2026-26332 vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0...

CVE-2026-24120

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in versio...

CVE-2026-24120 vm2: Sandbox Breakout Through Promise Species

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in versio...

CVE-2026-24120 vm2: Sandbox Breakout Through Promise Species

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in versio...

CVE-2026-24120

Technical details about CVE-2026-24120 are not publicly available in the provided documents. The affected components, root cause, impact, and fixes are not specified here. Monitor for updates.

GHSA-GRJ5-JJM8-H35P VM2 Sandbox Breakout Through __lookupGetter__

Summary VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. Details The lookupGetter method allows to read the getter of an object. It is special in VM2 since it will switch...

VM2 Sandbox Breakout Through __lookupGetter__

Summary VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. Details The lookupGetter method allows to read the getter of an object. It is special in VM2 since it will switch...

EUVD-2026-26984

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0...

CVE-2026-24118 VM2 Sandbox Breakout Through __lookupGetter__

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0...

OPENSUSE-SU-2026:20667-1 Security update for MozillaFirefox

This update for MozillaFirefox fixes the following issues: Update to Firefox Extended Support Release 140.10.1 ESR. - MFSA 2026-36 bsc1263110 CVE-2026-7320: Information disclosure due to incorrect boundary conditions in the Audio/Video component. CVE-2026-7321: Sandbox escape due to incorrect...

CLSA-2026-1776163133 tomcat: Fix of 3 CVEs

CVE-2024-52316: fix unchecked error condition in Jakarta Authentication JASPIC ServerAuthContext - CVE-2025-46701: fix case sensitivity bypass in CGI servlet pathInfo - CVE-2025-55754: add escaping to logging output for ANSI sequences...

vm2 代码注入漏洞

vm2 is a high-level virtual machine/sandbox developed by Czech developer Patrik Simek. It runs untrusted code using Node’s built-in modules listed in the allowlist. Versions of vm2 prior to 3.11.0 had a code injection vulnerability; this vulnerability stemmed from the SuppressedError feature, whi...

n8n 代码注入漏洞

n8n is an open-source, scalable workflow automation tool developed by n8n. Versions of n8n prior to 1.123.32, 2.17.4, and 2.18.1 contained a code injection vulnerability. This vulnerability stems from workflows that include Python Code Nodes, allowing authenticated users to escape the sandbox and...

PT-2026-36904

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.32 n8n versions prior to 2.17.4 n8n versions prior to 2.18.1 Description An authenticated user with permissions to create or modify workflows containing a Python Code Node can escape the sandbox to achieve arbitrary...

vm2 代码注入漏洞

vm2 is a high-level virtual machine/sandbox developed by Czech developer Patrik Simek. It runs untrusted code using Node.js built-in modules listed in the allowlist. Versions of vm2 prior to 3.11.0 had a code injection vulnerability, which stemmed from a sandbox escape vulnerability. This...