CVE-2026-26332

CRITICAL

vm2: Sandbox Escape

Title source: cna
STIX 2.1

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

Scores

CVSS v3 9.8
EPSS 0.0071
EPSS Percentile 49.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-653 CWE-693 CWE-94
Status published
Products (3)
npm/vm2 0 - 3.11.0npm
patriksimek/vm2 < 3.11.0
vm2_project/vm2 < 3.11.0
Published May 04, 2026
Tracked Since May 04, 2026