Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

7 matches found

Github Security Blog
Github Security Blogadded 6 days ago8 views

vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass

Summary A sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI WebAssembly.promising / WebAssembly.Suspending. In the tested configuration, a JSPI-backed Promise can reach...

6.4AI score
Exploits0References4Affected Software1
Positive Technologies
Positive Technologiesadded 2026/05/22 12:0 a.m.5 views

PT-2026-42732

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.4 Description Sandbox escape flaws in NodeVM allow unauthenticated remote code execution on the host server. The issue occurs because the dangerous builtin denylist in lib/builtin.js misses process and...

10CVSS6.5AI score
Exploits0References7
CNNVD
CNNVDadded 2026/05/13 12:0 a.m.4 views

vm2 代码注入漏洞

vm2 is a high-level virtual machine/sandbox for Node.js developed by Patrik Simek from Czech Republic. It runs untrusted code using built-in Node modules listed in the allowlist. In versions 3.9.6 to 3.10.5 of vm2, there was a code injection vulnerability. This vulnerability stemmed from a bridgi...

10CVSS6.1AI score0.00108EPSS
Exploits1References1
Positive Technologies
Positive Technologiesadded 2026/05/04 12:0 a.m.3 views

PT-2026-36848

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.0 Description vm2 is an open source sandbox for Node.js. A sandbox breakout occurs through the inspect function, allowing attackers to write code that escapes the sandbox environment and executes arbitrary commands o...

9.8CVSS6AI score0.0017EPSS
Exploits1References18
Positive Technologies
Positive Technologiesadded 2026/01/26 12:0 a.m.1 views

PT-2026-4821

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.10.2 Description vm2 is a Node.js library used to create sandboxed environments for executing untrusted code. A flaw exists in versions prior to 3.10.2 where the sanitization of Promise.prototype.then and...

10CVSS9AI score0.00054EPSS
Exploits1References57
OSV
OSVadded 2023/05/15 8:50 p.m.1 views

GHSA-WHPJ-8F3W-67P5 vm2 Sandbox Escape vulnerability

A sandbox escape vulnerability exists in vm2 for versions up to 3.9.17. It abuses an unexpected creation of a host object based on the specification of Proxy. Impact A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. Patches Thi...

9.8CVSS7.6AI score0.64898EPSS
Exploits1References6
Positive Technologies
Positive Technologiesadded 2023/05/08 12:0 a.m.1 views

PT-2023-20335 · Vm2 +1 · Vm2 +1

Name of the Vulnerable Software and Affected Versions: jsreport versions prior to 3.11.3 Description: The issue is related to code injection in the jsreport GitHub repository. An attacker can exploit this to obtain authority over the jsreport playground server or construct a malicious webpage/htm...

10CVSS9.4AI score0.00486EPSS
Exploits1References9
Rows per page
Query Builder