Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Vm2 maintainers security patch release for CVE-2026-22709

Security Patch Release
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

vm2 maintainers released a fix for CVE-2026-22709 in vm2 3.10.2 and directed users to upgrade to 3.10.3, reducing the risk of sandbox escape and arbitrary code execution on the host OS. The update matters because the flaw affects a library used to isolate untrusted JavaScript code. It also signals that the remediation scope extends beyond the initial fix, with 3.10.3 adding further sandbox-escape corrections.

Related Happenings

Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)

Security Patch Release
First: 15.05.2026 18:56 Last: 15.05.2026 18:56 Sources 1

About this happening: **Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...

Open Happening

GitHub CVE-2026-3854 security patch release

Security Patch Release
First: 29.04.2026 15:41 Last: 29.04.2026 15:41 Sources 1

About this happening: **GitHub** released **security fixes** for **CVE-2026-3854**, patching **GitHub.com** and supported **GitHub Enterprise Server** builds after a critical **remote code execution**...

Open Happening

Terrarium CVE-2026-5752 mitigation guidance

Advisory/Mitigation
First: 22.04.2026 10:16 Last: 22.04.2026 10:16 Sources 1

About this happening: **CERT/CC** issued mitigation guidance for **Terrarium** deployments exposed to **CVE-2026-5752**, a **sandbox-escape** flaw that can lead to **root code execution**. The advice i...

Open Happening

Google security patch release for CVE-2026-5858

Security Patch Release
First: 10.04.2026 13:44 Last: 10.04.2026 13:44 Sources 1

About this happening: **Google** released the first stable **Chrome 147** build, closing **60 vulnerabilities** and raising the browser’s baseline security ahead of broader deployment. The patch bundle...

Open Happening

LangSmith version 0.12.71 security update (CVE-2026-25750)

Security Patch Release
First: 17.03.2026 18:39 Last: 17.03.2026 18:39 Sources 1

About this happening: **LangSmith** released **version 0.12.71** to fix **CVE-2026-25750**, a high-severity flaw that could enable **token theft** and **account takeover**. The update applies to both *...

Open Happening

Timeline

  1. 28.01.2026 16:01 2 articles · 3mo ago

    vm2 discloses CVE-2026-22709 and urges upgrade

    Initial Disclosure

    vm2 maintainer Patrik Simek disclosed CVE-2026-22709 in vm2 version 3.10.0, where Promise.prototype.then and Promise.prototype.catch callback sanitization can be bypassed to let attackers escape the sandbox and run arbitrary code on the underlying operating system. The issue is described as critical with CVSS 9.8/10.0, was addressed in vm2 3.10.2, and users are urged to upgrade to 3.10.3 for additional sandbox-escape fixes.

    Show sources
    Open in new tab