Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Vm2 Node.js sandbox escape (CVE-2026-26956)

Vulnerability
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

A PoC exploit for CVE-2026-26956 now exposes vm2 3.10.4 deployments to arbitrary code execution on the host. The flaw may also affect earlier vm2 releases, but confirmed impact is tied to vm2 version 3.10.4. Users are urged to upgrade to vm2 3.10.5+ because the attack path is already public.

Related Happenings

Vm2 Node.js sandbox escape and RCE vulnerabilities (CVE-2026-24118)

Vulnerability
First: 07.05.2026 07:15 Last: 07.05.2026 07:15 Sources 1

About this happening: **vm2** now has **multiple critical vulnerabilities** that can let attacker-controlled JavaScript **escape the sandbox** and reach the host, creating **arbitrary code execution**...

Open Happening

Vm2 Node.js sandbox library sandbox escape (CVE-2026-22709)

Vulnerability
First: 27.01.2026 18:35 Last: 27.01.2026 18:35 Sources 1

About this happening: **vm2 Node.js sandbox library** has a critical **CVE-2026-22709** sandbox-escape flaw that can let untrusted JavaScript break out and run **arbitrary code** on the host. The weakn...

Open Happening

Timeline

  1. 06.05.2026 21:38 2 articles · 21d ago

    vm2 CVE-2026-26956 sandbox escape on Node.js 25

    Technical Analysis Update

    CVE-2026-26956 identifies a critical vm2 sandbox escape affecting vm2 version 3.10.4 and possibly earlier releases when Node.js 25.6.1 is run with WebAssembly exception handling and JSTag support enabled; a specially crafted Symbol-to-string TypeError can leak a host-side error object back into the sandbox, let attackers reach Node.js internals such as process, and enable arbitrary code execution on the host, while public PoC exploit code is available and vm2 3.10.5 or later is recommended as the mitigation path.

    Show sources
    Open in new tab