Lucene search
K

18 matches found

RedhatCVE
RedhatCVE
added 2026/06/25 10:59 p.m.8 views

CVE-2026-47208

A flaw was found in vm2, an open-source virtual machine VM sandbox for Node.js. This vulnerability allows an attacker to escape the sandbox environment by writing malicious code. Successful exploitation can lead to arbitrary code execution on the host system, compromising the integrity and...

10CVSS6.3AI score0.0051EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/06/23 1:26 p.m.8 views

CVE-2026-47139

A flaw was found in vm2, a Node.js sandbox. This vulnerability allows sandboxed code to bypass network restrictions by utilizing internal HTTP built-ins, such as httpclient and httpserver. An attacker can exploit this to make outbound HTTP requests or open listening HTTP sockets, even when public...

8.6CVSS5.8AI score0.00282EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/12 2:16 p.m.11 views

EUVD-2026-36447

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4...

10CVSS5.7AI score0.0051EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/12 2:16 p.m.13 views

EUVD-2026-36446

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, workerthreads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach...

10CVSS5.6AI score0.00536EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:25 p.m.11 views

CVE-2026-44003

A flaw was found in vm2 before 3.11.0. A code transformer fast-path skips AST analysis when catch, import, and async are absent, allowing direct access to VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL and internal security functions handleException, wrapWith, import. Fixed in 3.11.0...

5.8CVSS5.8AI score0.00248EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:23 p.m.14 views

CVE-2026-43997

A flaw was found in vm2 before 3.11.0, a Node.js sandbox library. Sandboxed code can obtain the host Object e.g. via HostObject.getOwnPropertySymbols and Symbolnodejs.util.inspect.custom, bypassing isolation and enabling arbitrary code execution on the host...

10CVSS6.7AI score0.00976EPSS
Exploits1References4
EUVD
EUVD
added 2026/06/03 9:39 p.m.14 views

EUVD-2026-34029

browserstack-runner vulnerable to Remote Code Execution via vm sandbox escape in log HTTP handler...

8.8CVSS5.9AI score0.00392EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/15 5:38 p.m.7 views

CVE-2026-26332

A flaw was found in vm2, an open-source sandbox for Node.js. This vulnerability allows a remote attacker to escape the sandbox environment by exploiting the SuppressedError mechanism. Successful exploitation can lead to arbitrary code execution on the host system, compromising the integrity and...

10CVSS6.5AI score0.0071EPSS
Exploits1References5
NVD
NVD
added 2026/05/13 6:16 p.m.12 views

CVE-2026-44009

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2...

9.8CVSS0.00812EPSS
Exploits1References4
NVD
NVD
added 2026/05/13 6:16 p.m.16 views

CVE-2026-44006

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0...

10CVSS0.00815EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/05/13 5:30 p.m.8 views

CVE-2026-44003 vm2: Transformer Fast-Path Bypass Exposes Internal State Variable

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal...

5.3CVSS5.8AI score0.00248EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.9 views

vm2 代码注入漏洞

vm2 is a high-level virtual machine/sandbox for Node.js developed by Czech developer Patrik Simek. It runs untrusted code using built-in Node modules listed in the allowlist. Versions of vm2 prior to 3.11.0 had a code injection vulnerability, which was due to the access to...

10CVSS6.2AI score0.00815EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/05 4:23 p.m.18 views

EUVD-2026-26986

VM2 Has Sandbox Breakout Through Promise Species...

9.8CVSS5.8AI score0.00896EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/05/04 4:35 p.m.30 views

CVE-2026-26332 vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0...

9.8CVSS0.0071EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/05/01 12:0 a.m.13 views

PT-2026-36847

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.10.5 Description An insufficient fix in the sandbox implementation allows attackers to bypass security restrictions, enabling them to escape the VM2 sandbox and execute arbitrary commands on the host system. This is...

9.8CVSS6.6AI score0.00896EPSS
Exploits1References15
Positive Technologies
Positive Technologies
added 2026/02/21 12:0 a.m.13 views

PT-2026-21375

Name of the Vulnerable Software and Affected Versions OneUptime versions 9.5.13 and below Description OneUptime is a solution for monitoring and managing online services. The custom JavaScript monitor feature utilizes Node.js's node:vm module, which is explicitly documented as not being a securit...

9.9CVSS5.5AI score0.00504EPSS
Exploits2References20
CNNVD
CNNVD
added 2025/07/08 12:0 a.m.5 views

Node.js Sandbox MCP Server 安全漏洞

Node.js Sandbox MCP Server is a context protocol server based on the Node.js model by the individual developer Alfonso Graziano. A security vulnerability exists in Node.js Sandbox MCP Server versions prior to 1.3.0 that stems from command injection and could lead to remote code execution...

7.5CVSS8AI score0.01053EPSS
Exploits0References3
CNNVD
CNNVD
added 2023/04/06 12:0 a.m.7 views

vm2 安全漏洞

vm2 is an advanced virtual machine/sandbox for Node.js by individual developer Patrik Simek in the Czech Republic. to run untrusted code using whitelisted Node built-in modules. A security vulnerability exists in vm2 versions prior to 3.9.15 that stems from vm2 not properly handling passed host...

10CVSS8.6AI score0.63186EPSS
Exploits2References7
Rows per page
Query Builder