What is CVE-2026-43998?

CVE-2026-43998 is a high-severity vulnerability in Patriksimek Vm2, classified under Improper Link Resolution Before File Access. CVSS score: 8.5/10. Published 2026-05-13.

How severe is CVE-2026-43998?

High severity. CVSS v3 base score is 8.5 out of 10.

Vulnerability in Patriksimek Vm2

CVE-2026-43998

vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Bec…

EPSS: 0.003 (52.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.5 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H.

Affected products

Patriksimek Vm2 — versions 3.10.5
Vm2_project Vm2 — versions 3.10.5

Weakness classification (CWE)

CWE-59 — Improper Link Resolution Before File Access

References

security-advisories@github.com (x_refsource_CONFIRM, Exploit, Mitigation, Vendor Advisory)

Frequently asked questions

What is CVE-2026-43998?: CVE-2026-43998 is a high-severity vulnerability in Patriksimek Vm2, classified under Improper Link Resolution Before File Access. CVSS score: 8.5/10. Published 2026-05-13.
How severe is CVE-2026-43998?: High severity. CVSS v3 base score is 8.5 out of 10.