EUVD-2026-36447

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4...

EUVD-2026-36446

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, workerthreads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach...

CVE-2026-44003

A flaw was found in vm2 before 3.11.0. A code transformer fast-path skips AST analysis when catch, import, and async are absent, allowing direct access to VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL and internal security functions handleException, wrapWith, import. Fixed in 3.11.0...

CVE-2026-43997

A flaw was found in vm2 before 3.11.0, a Node.js sandbox library. Sandboxed code can obtain the host Object e.g. via HostObject.getOwnPropertySymbols and Symbolnodejs.util.inspect.custom, bypassing isolation and enabling arbitrary code execution on the host...

EUVD-2026-34029

browserstack-runner vulnerable to Remote Code Execution via vm sandbox escape in log HTTP handler...

CVE-2026-26332

A flaw was found in vm2, an open-source sandbox for Node.js. This vulnerability allows a remote attacker to escape the sandbox environment by exploiting the SuppressedError mechanism. Successful exploitation can lead to arbitrary code execution on the host system, compromising the integrity and...

CVE-2026-44006

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0...

CVE-2026-44009

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2...

CVE-2026-44003 vm2: Transformer Fast-Path Bypass Exposes Internal State Variable

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal...

vm2 代码注入漏洞

vm2 is a high-level virtual machine/sandbox for Node.js developed by Czech developer Patrik Simek. It runs untrusted code using built-in Node modules listed in the allowlist. Versions of vm2 prior to 3.11.0 had a code injection vulnerability, which was due to the access to...

EUVD-2026-26986

VM2 Has Sandbox Breakout Through Promise Species...

CVE-2026-26332 vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0...

PT-2026-36847

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.10.5 Description An insufficient fix in the sandbox implementation allows attackers to bypass security restrictions, enabling them to escape the VM2 sandbox and execute arbitrary commands on the host system. This is...

PT-2026-21375

Name of the Vulnerable Software and Affected Versions OneUptime versions 9.5.13 and below Description OneUptime is a solution for monitoring and managing online services. The custom JavaScript monitor feature utilizes Node.js's node:vm module, which is explicitly documented as not being a securit...

Node.js Sandbox MCP Server 安全漏洞

Node.js Sandbox MCP Server is a context protocol server based on the Node.js model by the individual developer Alfonso Graziano. A security vulnerability exists in Node.js Sandbox MCP Server versions prior to 1.3.0 that stems from command injection and could lead to remote code execution...

vm2 安全漏洞

vm2 is an advanced virtual machine/sandbox for Node.js by individual developer Patrik Simek in the Czech Republic. to run untrusted code using whitelisted Node built-in modules. A security vulnerability exists in vm2 versions prior to 3.9.15 that stems from vm2 not properly handling passed host...