What is the CVSS score of CVE-2026-26956?

CVE-2026-26956 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of vm2 are affected by CVE-2026-26956?

CVE-2026-26956 is a critical sandbox escape vulnerability in vm2 (Node.js sandboxing library) versions up to 3.10.4 that allows remote code execution on the host system without authentication.. A patch is available.

Is there a public PoC exploit available for CVE-2026-26956?

Yes, a public proof-of-concept exploit is available for CVE-2026-26956. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-26956?

Within 24 hours: Identify all systems running vm2 versions ≤3.10.4 using dependency scanning (npm audit, SBOM tools). Within 7 days: Upgrade all instances to vm2 version 3.10.5 or later and validate in staging environment. Within 30 days: Audit logs for suspicious code execution patterns in vm2 sandboxes and confirm full deployment across production, development, and CI/CD environments.

vm2 CVE-2026-26956

EUVD-2026-26995 CRITICAL

Protection Mechanism Failure (CWE-693)

2026-05-04 GitHub_M

GHSA-ffh4-j6h5-pg66

RCE Node.js Red Hat

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 04, 2026 - 17:46 vuln.today

Analysis Generated

May 04, 2026 - 17:46 vuln.today

EUVD ID Assigned

May 04, 2026 - 17:15 euvd

EUVD-2026-26995

Analysis Generated

May 04, 2026 - 17:15 vuln.today

CVE Published

May 04, 2026 - 16:37 nvd

CRITICAL 9.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

10 npm packages depend on vm2 (1 direct, 9 indirect)

Ecosystem-wide dependent count for version 3.10.4.

DescriptionNVD

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.

AnalysisAI

Full sandbox escape with arbitrary code execution allows remote attackers to break out of vm2's Node.js sandbox environment (version 3.10.4) and execute commands on the host system. Attacker-controlled code running inside VM.run() can obtain the host process object and execute arbitrary host commands without any cooperation from the host application. …

RemediationAI

Within 24 hours: Identify all systems running vm2 versions ≤3.10.4 using dependency scanning (npm audit, SBOM tools). Within 7 days: Upgrade all instances to vm2 version 3.10.5 or later and validate in staging environment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory