Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Vm2 Node.js sandbox library sandbox escape (CVE-2026-22709)

Vulnerability
First reported
Last updated
Happening score
H score 38
2 unique sources, 2 articles

Summary

Hide ▲

vm2 Node.js sandbox library has a critical CVE-2026-22709 sandbox-escape flaw that can let untrusted JavaScript break out and run arbitrary code on the host. The weakness affects vulnerable vm2 deployments used to isolate user code, turning a containment failure into host-level compromise. Mitigation was staged through 3.10.1 and 3.10.2, with 3.10.3 described as the release that properly fixes the disclosed vulnerabilities.

Related Happenings

Vm2 Node.js sandbox escape and RCE vulnerabilities (CVE-2026-24118)

Vulnerability
First: 07.05.2026 07:15 Last: 07.05.2026 07:15 Sources 1

About this happening: **vm2** now has **multiple critical vulnerabilities** that can let attacker-controlled JavaScript **escape the sandbox** and reach the host, creating **arbitrary code execution**...

Open Happening

Vm2 Node.js sandbox escape (CVE-2026-26956)

Vulnerability
First: 06.05.2026 21:38 Last: 06.05.2026 21:38 Sources 1

About this happening: A **PoC exploit** for **CVE-2026-26956** now exposes **vm2 3.10.4** deployments to **arbitrary code execution on the host**. The flaw may also affect **earlier vm2 releases**, but...

Open Happening

Protobuf.js unsafe dynamic code generation RCE flaw

Vulnerability
First: 18.04.2026 18:09 Last: 18.04.2026 18:09 Sources 1

About this happening: A **proof-of-concept exploit** is now public for a **critical RCE flaw** in **protobuf.js**, putting **versions 8.0.0/7.5.4 and lower** at risk of code execution. The weakness com...

Open Happening

Linux kernel AppArmor confused deputy vulnerabilities CrackArmor security flaw

Vulnerability
First: 13.03.2026 10:18 Last: 13.03.2026 10:18 Sources 1

About this happening: Researchers disclosed **CrackArmor**, nine **confused deputy** flaws in the **Linux kernel's AppArmor module** that can let **unprivileged users** bypass protections, gain **root*...

Open Happening

Cline hit by cyberattack

Incident
First: 20.02.2026 00:33 Last: 20.02.2026 00:33 Sources 1

About this happening: A **Cline CLI** **supply-chain incident** on **February 17, 2026** used a **compromised npm publish token** to publish **[email protected]** with a **postinstall** step that silently in...

Open Happening

Timeline

  1. 27.01.2026 18:35 2 articles · 4mo ago

    CVE-2026-22709 sandbox escape in vm2

    Initial Disclosure

    Critical CVE-2026-22709 affects the vm2 Node.js sandbox library and lets untrusted JavaScript bypass Promise.prototype.then and Promise.prototype.catch callback sanitization, escape the sandbox, and execute arbitrary code or commands on the underlying host system; the maintainer says vm2 3.10.1 partially addressed the issue, 3.10.2 tightened the fix, and 3.10.3 is the latest release said to properly fix the disclosed vulnerabilities.

    Show sources
    Open in new tab