Vm2_project Vm2
19 CVEs affecting Vm2_project Vm2. Latest disclosed: 2026-05-13. Critical: 13, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-44006 | Critical | 10.0 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototype… |
CVE-2026-44005 | Critical | 10.0 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forw… |
CVE-2026-43997 | Critical | 10.0 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to esca… |
CVE-2026-43999 | Critical | 9.9 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the… |
CVE-2026-45411 | Critical | 9.8 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator… |
CVE-2026-44009 | Critical | 9.8 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2. |
CVE-2026-44008 | Critical | 9.8 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call i… |
CVE-2026-26956 | Critical | 9.8 | 2026-05-04 | vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside V… |
CVE-2026-26332 | Critical | 9.8 | 2026-05-04 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issu… |
CVE-2026-24781 | Critical | 9.8 | 2026-05-04 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This all… |
CVE-2026-24120 | Critical | 9.8 | 2026-05-04 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to… |
CVE-2026-24118 | Critical | 9.8 | 2026-05-04 | vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code w… |
CVE-2026-44007 | Critical | 9.1 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') reg… |
CVE-2026-44001 | High | 8.6 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.j… |
CVE-2026-43998 | High | 8.5 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed c… |
CVE-2026-44004 | High | 7.5 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the… |
CVE-2026-44000 | Medium | 6.5 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox boundary violation in vm2 allows host object identity to cross into the sandbox throug… |
CVE-2026-44002 | Medium | 5.8 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks getThi… |
CVE-2026-44003 | Medium | 5.3 | 2026-05-13 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does… |