EUVD-2026-26993
GHSA-55hx-c926-fr95
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.
AnalysisAI
Remote code execution in vm2 (Node.js sandbox library) versions prior to 3.11.0 allows unauthenticated network attackers to escape the sandbox and execute arbitrary code on the host system. The SuppressedError vulnerability (GHSA-55hx-c926-fr95) is one of 13 full sandbox-escape primitives patched in this coordinated security release. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all applications and services using vm2 library; check installed version via npm list vm2 or package-lock.json. Within 7 days: Upgrade to vm2 version 3.11.0 or later in development and staging environments; test thoroughly for application compatibility. …
Sign in for detailed remediation steps.
More from same product – last 7 days
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today