Vulnerability Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.
CVSS Score
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vm2 Project | Vm2 | < 3.11.0 |
Related Weaknesses (CWE)
References
- https://github.com/patriksimek/vm2/releases/tag/v3.11.0Release Notes
- https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95ExploitVendor Advisory
- https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95ExploitVendor Advisory
FAQ
What is CVE-2026-26332?
CVE-2026-26332 is a vulnerability with a CVSS score of 9.8 (CRITICAL). vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.
How severe is CVE-2026-26332?
CVE-2026-26332 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-26332?
Check the references section above for vendor advisories and patch information. Affected products include: Vm2 Project Vm2.