What is the CVSS score of CVE-2026-24120?

CVE-2026-24120 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of vm2 are affected by CVE-2026-24120?

CVE-2026-24120 is a critical sandbox escape in vm2 (Node.js sandboxing library) that allows unauthenticated remote attackers to execute arbitrary commands on affected servers.. A patch is available.

Is there a public PoC exploit available for CVE-2026-24120?

Yes, a public proof-of-concept exploit is available for CVE-2026-24120. Prioritise patching immediately. EPSS: 0.1%.

vm2 CVE-2026-24120

EUVD-2026-26986 CRITICAL

Protection Mechanism Failure (CWE-693)

2026-05-04 GitHub_M

GHSA-qvjj-29qf-hp7p

RCE Node.js Red Hat

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 04, 2026 - 18:32 EUVD

Source Code Evidence Fetched

May 04, 2026 - 17:45 vuln.today

Analysis Generated

May 04, 2026 - 17:45 vuln.today

Patch released

May 04, 2026 - 17:16 nvd

Patch available

EUVD ID Assigned

May 04, 2026 - 17:15 euvd

EUVD-2026-26986

Analysis Generated

May 04, 2026 - 17:15 vuln.today

CVE Published

May 04, 2026 - 16:31 nvd

CRITICAL 9.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

11 npm packages depend on vm2 (1 direct, 10 indirect)

Ecosystem-wide dependent count for version 3.10.5.

DescriptionNVD

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.

AnalysisAI

Sandbox escape in vm2 for Node.js allows remote unauthenticated attackers to execute arbitrary commands on the host system. The vulnerability represents an insufficient fix for CVE-2023-37466, enabling attackers to circumvent sandbox protections through multiple attack vectors including Function constructor extraction, proxy unwrapping, property descriptor manipulation, and WebAssembly JSTag exploitation. …

RemediationAI

Within 24 hours: Identify all applications and services using vm2 across your infrastructure and assess exposure scope. Within 7 days: Upgrade vm2 to version 3.10.5 or later on all affected systems; if upgrade is not immediately possible, implement network-level restrictions to prevent untrusted external input from reaching vm2-dependent services. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory