Vm2 maintainers security patch release for CVE-2026-22709
Security Patch Release
Summary
Hide ▲
Show ▼
vm2 maintainers released a fix for CVE-2026-22709 in vm2 3.10.2 and directed users to upgrade to 3.10.3, reducing the risk of sandbox escape and arbitrary code execution on the host OS. The update matters because the flaw affects a library used to isolate untrusted JavaScript code. It also signals that the remediation scope extends beyond the initial fix, with 3.10.3 adding further sandbox-escape corrections.
Related Happenings
Amazon security patch release for CVE-2026-50549
Security Patch Release
H score29
First: 09.07.2026 14:00
Last: 09.07.2026 14:00
Sources 1
About this happening:
**Amazon, Google and Cursor** shipped fixes for **GhostApproval**, a flaw in AI coding assistants that let deceptive repository paths bypass approval prompts. The patch response c...
Amazon security patch release for CVE-2026-50549
Security Patch ReleaseAbout this happening: **Amazon, Google and Cursor** shipped fixes for **GhostApproval**, a flaw in AI coding assistants that let deceptive repository paths bypass approval prompts. The patch response c...
Npm v12 default-blocks install scripts, Git dependencies, and remote URLs
Security Tool/Service
H score11
First: 12.06.2026 16:00
Last: 12.06.2026 16:00
Sources 1
About this happening:
GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...
Npm v12 default-blocks install scripts, Git dependencies, and remote URLs
Security Tool/ServiceAbout this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch Release
H score21
First: 15.05.2026 18:56
Last: 15.05.2026 18:56
Sources 1
About this happening:
**Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch ReleaseAbout this happening: **Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
GitHub CVE-2026-3854 security patch release
Security Patch Release
H score34
First: 29.04.2026 15:41
Last: 29.04.2026 15:41
Sources 1
About this happening:
**GitHub** released **security fixes** for **CVE-2026-3854**, patching **GitHub.com** and supported **GitHub Enterprise Server** builds after a critical **remote code execution**...
GitHub CVE-2026-3854 security patch release
Security Patch ReleaseAbout this happening: **GitHub** released **security fixes** for **CVE-2026-3854**, patching **GitHub.com** and supported **GitHub Enterprise Server** builds after a critical **remote code execution**...
Terrarium CVE-2026-5752 mitigation guidance
Advisory/Mitigation
H score39
First: 22.04.2026 10:16
Last: 22.04.2026 10:16
Sources 1
About this happening:
**CERT/CC** issued mitigation guidance for **Terrarium** deployments exposed to **CVE-2026-5752**, a **sandbox-escape** flaw that can lead to **root code execution**. The advice i...
Terrarium CVE-2026-5752 mitigation guidance
Advisory/MitigationAbout this happening: **CERT/CC** issued mitigation guidance for **Terrarium** deployments exposed to **CVE-2026-5752**, a **sandbox-escape** flaw that can lead to **root code execution**. The advice i...
Timeline
-
28.01.2026 16:01 2 articles · 5mo ago
vm2 discloses CVE-2026-22709 and urges upgrade
Initial Disclosurevm2 maintainer Patrik Simek disclosed CVE-2026-22709 in vm2 version 3.10.0, where Promise.prototype.then and Promise.prototype.catch callback sanitization can be bypassed to let attackers escape the sandbox and run arbitrary code on the underlying operating system. The issue is described as critical with CVSS 9.8/10.0, was addressed in vm2 3.10.2, and users are urged to upgrade to 3.10.3 for additional sandbox-escape fixes.
Show sources
- Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution — thehackernews.com — 28.01.2026 16:01
- Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution — thehackernews.com — 28.01.2026 16:01