Lucene search
K

501 matches found

vulnersOsv
vulnersOsv
added 2026/05/29 5:49 p.m.6 views

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47209 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

8.6CVSS5.5AI score0.00287EPSS
Exploits0
Snyk
Snyk
added 2026/05/29 5:49 p.m.11 views

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the BaseHandler.set trap in lib/bridge.js. An...

9.2CVSS6.3AI score0.00287EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/05/29 5:44 p.m.6 views

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +23 more potentially affected by CVE-2026-47135 via vm2 (>=3.0.0 <=3.11.3)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =0.1.0, =1.0.0, =1.1.15, =1.27.8, =1.0.0-beta.1, =1.1.0, =0.2.0, =0.1.64, =0.1.61, =0.1.65 and more Source cves: CVE-2026-47135 Source advisory: SNYK:JS-VM2-17111274...

8.7CVSS5.7AI score0.00266EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/05/29 5:44 p.m.5 views

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47135 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

8.7CVSS5.5AI score0.00266EPSS
Exploits0
Snyk
Snyk
added 2026/05/29 5:44 p.m.10 views

Incomplete List of Disallowed Inputs

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs through Symbol.for handling in lib/setup-sandbox.js and the bridge write traps in lib/bridge.js...

9.5CVSS5.9AI score0.00266EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/29 5:44 p.m.10 views

Incomplete List of Disallowed Inputs

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs through Symbol.for handling in lib/setup-sandbox.js and the bridge write traps in lib/bridge.js. An attacker can...

9.5CVSS5.9AI score0.00266EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/05/29 5:40 p.m.10 views

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +23 more potentially affected by CVE-2026-47208 via vm2 (>=3.0.0 <=3.11.3)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =0.1.0, =1.0.0, =1.1.15, =1.27.8, =1.0.0-beta.1, =1.1.0, =0.2.0, =0.1.64, =0.1.61, =0.1.65 and more Source cves: CVE-2026-47208 Source advisory: SNYK:JS-VM2-17111264...

10CVSS5.7AI score0.0051EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/05/29 5:40 p.m.6 views

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47208 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

10CVSS5.5AI score0.0051EPSS
Exploits0
Snyk
Snyk
added 2026/05/29 5:40 p.m.11 views

Improper Control of Dynamically-Managed Code Resources

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via the localPromise constructor in lib/setup-sandbox.js. An attacker can obtain a host-realm...

10CVSS6AI score0.0051EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/29 5:38 p.m.15 views

Improper Validation of Array Index

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Validation of Array Index through the defaultSandboxPrepareStackTrace function in lib/setup-sandbox.js. An attacker can observe or rewrite...

3.2CVSS5.9AI score
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/05/29 5:33 p.m.9 views

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +23 more potentially affected by CVE-2026-47131 via vm2 (>=3.0.0 <=3.11.3)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =0.1.0, =1.0.0, =1.1.15, =1.27.8, =1.0.0-beta.1, =1.1.0, =0.2.0, =0.1.64, =0.1.61, =0.1.65 and more Source cves: CVE-2026-47131 Source advisory: SNYK:JS-VM2-17111319...

10CVSS5.7AI score0.004EPSS
Exploits0
vulnersOsv
vulnersOsv
added 2026/05/29 5:33 p.m.5 views

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47131 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

10CVSS5.5AI score0.004EPSS
Exploits0
Snyk
Snyk
added 2026/05/29 5:33 p.m.9 views

Improper Control of Dynamically-Managed Code Resources

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources through the lib/bridge.js apply trap and thisEnsureThis proto-walk. An attacke...

10CVSS6.1AI score0.004EPSS
Exploits0References2
Snyk
Snyk
added 2026/05/29 5:33 p.m.9 views

Improper Control of Dynamically-Managed Code Resources

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources through the lib/bridge.js apply trap and thisEnsureThis proto-walk. An attacker can obtain hos...

10CVSS6.1AI score0.004EPSS
Exploits0References2
OSV
OSV
added 2026/05/29 5:33 p.m.7 views

GHSA-V6MX-MF47-R5WG vm2 has a Sandbox Escape issue

Summary By combining Buffer.call.call.lookupGetter, Buffer, "proto", Buffer.call.call.lookupSetter, Buffer, "proto", and Node.js's ERRINVALIDARGTYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. PoC ...

10CVSS5.9AI score0.004EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/29 5:33 p.m.21 views

vm2 has a Sandbox Escape issue

Summary By combining Buffer.call.call.lookupGetter, Buffer, "proto", Buffer.call.call.lookupSetter, Buffer, "proto", and Node.js's ERRINVALIDARGTYPE Error, the host's TypeError constructor can be obtained, which allows the escape from the sandbox. This allows attackers to run arbitrary code. PoC ...

10CVSS5.9AI score0.004EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.20 views

PT-2026-45032

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.11.4 Description A sandbox escape allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI WebAssembly JavaScript Promise Integration,...

9.8CVSS6AI score0.00507EPSS
Exploits0References7
Circl
Circl
added 2026/05/18 12:45 p.m.10 views

CVE-2026-47131

creationtimestamp| type| source ---|---|--- 2026-05-18 12:45:44+00:00| published-proof-of-concept| https://github.com/patriksimek/vm2/security/advisories/GHSA-v6mx-mf47-r5wg...

10CVSS5.8AI score0.004EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/15 7:58 p.m.12 views

CVE-2026-24118

A flaw was found in vm2, an open-source sandbox for Node.js. This sandbox breakout vulnerability allows attackers to write malicious code that can escape the vm2 sandbox. Successful exploitation enables the execution of arbitrary commands on the host system, leading to critical system compromise...

9.8CVSS6.2AI score0.00917EPSS
Exploits1References7
RedhatCVE
RedhatCVE
added 2026/05/15 5:51 p.m.11 views

CVE-2026-24120

A flaw was found in vm2, an open-source sandbox for Node.js. This vulnerability allows a remote attacker to bypass existing security controls, specifically the fix for CVE-2023-37466. By circumventing the sandbox, an attacker can execute arbitrary commands on the host system, leading to a complet...

9.8CVSS6.2AI score0.00896EPSS
Exploits1References5
Rows per page
Query Builder