49 matches found
EUVD-2025-31197
Open Babel has heap buffer overflow in ChemKin ChemKinFormat::CheckSpecies...
CVE-2026-47210 vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI WebAssembly.promising / WebAssembly.Suspending...
CVE-2026-47208 vm2: Sandbox Breakout Using Promise Species
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4...
GHSA-76W7-J9CQ-RX2J vm2 is Vulnerable to Sandbox Breakout Through Promise Species
Summary VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. Details The localPromise constructor was changed to call this.thenundefined, eater to ensure a rejected promise i...
Improper Control of Dynamically-Managed Code Resources
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via the localPromise constructor in lib/setup-sandbox.js. An attacker can obta...
vm2 is Vulnerable to Sandbox Breakout Through Promise Species
Summary VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. Details The localPromise constructor was changed to call this.thenundefined, eater to ensure a rejected promise i...
How to Compare the Security of Code Written by Humans to LLM-Generated Code
Large language models LLMs are rapidly transforming how software is created and maintained. Comparing LLM-generated code against human-written standards is essential to determine whether these new tools uphold or erode the security baselines established by professional developers. Yet, we lack a...
CVE-2026-44008
CVE-2026-44008 describes a vm2 sandbox escape in the Node.js vm2 library. Before version 3.11.2, the method neutralizeArraySpeciesBatch could interact with objects from the outside and, via a getter on Array.prototype, expose host objects to the sandbox, allowing an attacker to access the host Fu...
CVE-2026-44008 vm2: Snabox breakout via `neutralizeArraySpeciesBatch`
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects...
GHSA-9QJ6-QJGG-37QQ vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`
Summary VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. Details The new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this...
NPM: VM2 Has Sandbox Breakout Through Promise Species
NPM: VM2 Has Sandbox Breakout Through Promise Species vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.3...
GHSA-QVJJ-29QF-HP7P VM2 Has Sandbox Breakout Through Promise Species
Summary The fix for https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. Details The fix for...
VM2 Has Sandbox Breakout Through Promise Species
Summary The fix for https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. Details The fix for...
Arbitrary Code Injection
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the resetPromiseSpecies function. An attacker can execute arbitrary commands on the host system by escaping from the...
CVE-2026-24120
Technical details about CVE-2026-24120 are not publicly available in the provided documents. The affected components, root cause, impact, and fixes are not specified here. Monitor for updates.
Friday Squid Blogging: New Squid Species Discovered
A new species of squid. pretends to be a plant: Scientists have filmed a never-before-seen species of deep-sea squid burying itself upside down in the seafloor--a behavior never documented in cephalopods. They captured the bizarre scene while studying the depths of the Clarion-Clipperton Zone CCZ...
Security update for rhino
This update for rhino fixes the following issues: Update to version 1.7.15.1. Security issues fixed: CVE-2025-66453: high CPU consumption when processing specific numbers via the toFixed function bsc1254481. Other changes and issues fixed: Version 1.7.15: Basic support for "rest parameters"...
SUSE-SU-2025:4390-1 Security update for rhino
This update for rhino fixes the following issues: Update to version 1.7.15.1. Security issues fixed: - CVE-2025-66453: high CPU consumption when processing specific numbers via the toFixed function bsc1254481. Other changes and issues fixed: - Version 1.7.15: Basic support for 'rest parameters'...
CVE-2025-10997
A flaw has been found in Open Babel up to 3.1.1. Impacted is the function ChemKinFormat::CheckSpecies of the file /src/formats/chemkinformat.cpp. Executing manipulation can lead to heap-based buffer overflow. The attack can only be executed locally. The exploit has been published and may be used...
CVE-2025-10997 Open Babel chemkinformat.cpp CheckSpecies heap-based overflow
A flaw has been found in Open Babel up to 3.1.1. Impacted is the function ChemKinFormat::CheckSpecies of the file /src/formats/chemkinformat.cpp. Executing manipulation can lead to heap-based buffer overflow. The attack can only be executed locally. The exploit has been published and may be used...