What is CVE-2026-43997?

CVE-2026-43997 is a critical-severity vulnerability in Patriksimek Vm2, classified under Code Injection. CVSS score: 10.0/10. Published 2026-05-13.

How severe is CVE-2026-43997?

Critical severity. CVSS v3 base score is 10.0 out of 10.

RCE in Patriksimek Vm2

CVE-2026-43997

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to o…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.000 (6.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected products

Patriksimek Vm2 — versions < 3.11.0
Vm2_project Vm2

Weakness classification (CWE)

CWE-94 — Code Injection

References

security-advisories@github.com (x_refsource_CONFIRM, Exploit, Vendor Advisory)

Frequently asked questions

What is CVE-2026-43997?: CVE-2026-43997 is a critical-severity vulnerability in Patriksimek Vm2, classified under Code Injection. CVSS score: 10.0/10. Published 2026-05-13.
How severe is CVE-2026-43997?: Critical severity. CVSS v3 base score is 10.0 out of 10.