CVE-2026-43998

The CVE-2026-43998 issue affects vm2 (NodeVM) where require.root restrictions can be bypassed via filesystem symlinks. The root cause is that path.resolve() is used for validation (which does not dereference symlinks) while Node’s native require() follows symlinks, enabling sandboxed host code to...