Find notable cyber news and cases, enriched with sources, timelines, and signals.

Vm2 Node.js sandbox library sandbox escape (CVE-2026-22709)

Vulnerability
First reported
Last updated
Happening score
H score 78
2 unique sources, 2 articles

Summary

Hide ▲

vm2 Node.js sandbox library has a critical CVE-2026-22709 sandbox-escape flaw that can let untrusted JavaScript break out and run arbitrary code on the host. The weakness affects vulnerable vm2 deployments used to isolate user code, turning a containment failure into host-level compromise. Mitigation was staged through 3.10.1 and 3.10.2, with 3.10.3 described as the release that properly fixes the disclosed vulnerabilities.

Related Happenings

Npm v12 default-blocks install scripts, Git dependencies, and remote URLs

Security Tool/Service
H score11 First: 12.06.2026 16:00 Last: 12.06.2026 16:00 Sources 1

About this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...

Vm2 Node.js sandbox escape and RCE vulnerabilities (CVE-2026-24118)

Vulnerability
H score39 First: 07.05.2026 07:15 Last: 07.05.2026 07:15 Sources 1

About this happening: **vm2** now has **multiple critical vulnerabilities** that can let attacker-controlled JavaScript **escape the sandbox** and reach the host, creating **arbitrary code execution**...

Vm2 Node.js sandbox escape (CVE-2026-26956)

Vulnerability
H score29 First: 06.05.2026 21:38 Last: 06.05.2026 21:38 Sources 1

About this happening: A **PoC exploit** for **CVE-2026-26956** now exposes **vm2 3.10.4** deployments to **arbitrary code execution on the host**. The flaw may also affect **earlier vm2 releases**, but...

Protobuf.js unsafe dynamic code generation RCE flaw

Vulnerability
H score37 First: 18.04.2026 18:09 Last: 18.04.2026 18:09 Sources 1

About this happening: A **proof-of-concept exploit** is now public for a **critical RCE flaw** in **protobuf.js**, putting **versions 8.0.0/7.5.4 and lower** at risk of code execution. The weakness com...

Linux kernel AppArmor confused deputy vulnerabilities CrackArmor security flaw

Vulnerability
H score56 First: 13.03.2026 10:18 Last: 13.03.2026 10:18 Sources 1

About this happening: Researchers disclosed **CrackArmor**, nine **confused deputy** flaws in the **Linux kernel's AppArmor module** that can let **unprivileged users** bypass protections, gain **root*...

Timeline

  1. 27.01.2026 18:35 2 articles · 5mo ago

    CVE-2026-22709 sandbox escape in vm2

    Initial Disclosure

    Critical CVE-2026-22709 affects the vm2 Node.js sandbox library and lets untrusted JavaScript bypass Promise.prototype.then and Promise.prototype.catch callback sanitization, escape the sandbox, and execute arbitrary code or commands on the underlying host system; the maintainer says vm2 3.10.1 partially addressed the issue, 3.10.2 tightened the fix, and 3.10.3 is the latest release said to properly fix the disclosed vulnerabilities.

    Show sources