What is CVE-2026-26956?

CVE-2026-26956 is a critical-severity vulnerability in Patriksimek Vm2, classified under Protection Mechanism Failure. CVSS score: 9.8/10. Published 2026-05-04.

How severe is CVE-2026-26956?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Vulnerability in Patriksimek Vm2

CVE-2026-26956

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooper…

EPSS: 0.001 (30.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Patriksimek Vm2 — versions = 3.10.4
Vm2_project Vm2

Weakness classification (CWE)

CWE-693 — Protection Mechanism Failure

References

https://github.com/patriksimek/vm2/releases/tag/v3.10.5 (x_refsource_MISC, Release Notes)
https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66 (x_refsource_CONFIRM, Exploit, Vendor Advisory)

Frequently asked questions

What is CVE-2026-26956?: CVE-2026-26956 is a critical-severity vulnerability in Patriksimek Vm2, classified under Protection Mechanism Failure. CVSS score: 9.8/10. Published 2026-05-04.
How severe is CVE-2026-26956?: Critical severity. CVSS v3 base score is 9.8 out of 10.