CVE-2026-44005

The CVE-2026-44005 entry concerns vm2, a Node.js sandbox library. From versions 3.9.6 through 3.10.5, vm2’s bridge exposes mutable host-intrinsic prototypes and forwards sandbox writes into host objects, enabling attacker-controlled code inside a sandbox (default VM or inherited NodeVM) to mutate...

OpenClaw: Sandbox staged writes could escape the verified parent directory before commit

Summary In affected versions of openclaw, sandbox fs-bridge writes validated the destination before commit, but temporary file creation and population were not pinned to a verified parent directory. A raced parent-path alias change could cause the staged temp file to be created outside the intend...