Find notable cyber news and cases, enriched with sources, timelines, and signals.

Vm2 maintainers security patch release for CVE-2026-22709

Security Patch Release
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

vm2 maintainers released a fix for CVE-2026-22709 in vm2 3.10.2 and directed users to upgrade to 3.10.3, reducing the risk of sandbox escape and arbitrary code execution on the host OS. The update matters because the flaw affects a library used to isolate untrusted JavaScript code. It also signals that the remediation scope extends beyond the initial fix, with 3.10.3 adding further sandbox-escape corrections.

Related Happenings

Amazon security patch release for CVE-2026-50549

Security Patch Release
H score29 First: 09.07.2026 14:00 Last: 09.07.2026 14:00 Sources 1

About this happening: **Amazon, Google and Cursor** shipped fixes for **GhostApproval**, a flaw in AI coding assistants that let deceptive repository paths bypass approval prompts. The patch response c...

Npm v12 default-blocks install scripts, Git dependencies, and remote URLs

Security Tool/Service
H score11 First: 12.06.2026 16:00 Last: 12.06.2026 16:00 Sources 1

About this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...

Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)

Security Patch Release
H score21 First: 15.05.2026 18:56 Last: 15.05.2026 18:56 Sources 1

About this happening: **Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...

GitHub CVE-2026-3854 security patch release

Security Patch Release
H score34 First: 29.04.2026 15:41 Last: 29.04.2026 15:41 Sources 1

About this happening: **GitHub** released **security fixes** for **CVE-2026-3854**, patching **GitHub.com** and supported **GitHub Enterprise Server** builds after a critical **remote code execution**...

Terrarium CVE-2026-5752 mitigation guidance

Advisory/Mitigation
H score39 First: 22.04.2026 10:16 Last: 22.04.2026 10:16 Sources 1

About this happening: **CERT/CC** issued mitigation guidance for **Terrarium** deployments exposed to **CVE-2026-5752**, a **sandbox-escape** flaw that can lead to **root code execution**. The advice i...

Timeline

  1. 28.01.2026 16:01 2 articles · 5mo ago

    vm2 discloses CVE-2026-22709 and urges upgrade

    Initial Disclosure

    vm2 maintainer Patrik Simek disclosed CVE-2026-22709 in vm2 version 3.10.0, where Promise.prototype.then and Promise.prototype.catch callback sanitization can be bypassed to let attackers escape the sandbox and run arbitrary code on the underlying operating system. The issue is described as critical with CVSS 9.8/10.0, was addressed in vm2 3.10.2, and users are urged to upgrade to 3.10.3 for additional sandbox-escape fixes.

    Show sources