| CVE-2026-44006 |
critical |
10.0 |
10.0 |
|
|
|
16d ago |
vm2 has a Sandbox Escape Vulnerability |
| CVE-2026-44005 |
critical |
10.0 |
10.0 |
|
|
|
16d ago |
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape |
| CVE-2026-43997 |
critical |
10.0 |
10.0 |
|
|
|
16d ago |
vm2 Access to Host Object Enables Sandbox Escape |
| CVE-2026-26332 |
critical |
10.0 |
10.0 |
|
|
|
25d ago |
VM2 Has a Sandbox Escape Issue via SuppressedError |
| CVE-2026-43999 |
critical |
9.9 |
9.9 |
|
|
|
16d ago |
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape |
| CVE-2026-45411 |
critical |
9.8 |
9.8 |
|
|
|
16d ago |
vm2 Has a Sandbox Breakout Using Async Generator |
| CVE-2026-44009 |
critical |
9.8 |
9.8 |
|
|
|
16d ago |
vm2 has Sandbox Breakout Through Null Proto Exception |
| CVE-2026-44008 |
critical |
9.8 |
9.8 |
|
|
|
16d ago |
vm2 has sandbox breakout via `neutralizeArraySpeciesBatch` |
| CVE-2026-26956 |
critical |
9.8 |
9.8 |
|
|
|
25d ago |
VM2 Has a WASM Sandbox Escape (Node 25 only) |
| CVE-2026-24781 |
critical |
9.8 |
9.8 |
|
|
|
25d ago |
VM2 Has Sandbox Breakout Through Inspect Function |
| CVE-2026-24120 |
critical |
9.8 |
9.8 |
|
|
|
25d ago |
VM2 Has Sandbox Breakout Through Promise Species |
| CVE-2026-24118 |
critical |
9.8 |
9.8 |
|
|
|
25d ago |
VM2 Sandbox Breakout Through __lookupGetter__ |
| CVE-2026-44007 |
critical |
9.1 |
9.1 |
|
|
|
16d ago |
vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution |
| CVE-2026-44001 |
high |
8.6 |
8.6 |
|
|
|
16d ago |
vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS) |
| CVE-2026-43998 |
high |
8.5 |
8.5 |
|
|
|
16d ago |
vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape |
| CVE-2026-44004 |
high |
7.5 |
7.5 |
|
|
|
16d ago |
vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion |
| CVE-2026-44000 |
high |
7.2 |
7.2 |
|
|
|
16d ago |
vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary |
| CVE-2026-44003 |
medium |
5.8 |
5.8 |
|
|
|
16d ago |
vm2's Transformer Fast-Path Bypass Exposes Internal State Variable |
| CVE-2026-44002 |
medium |
5.8 |
5.8 |
|
|
|
16d ago |
vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak |
| CVE-2026-47141 |
unknown |
— |
— |
|
|
|
3h ago |
NodeVM observability builtins leak host process and HTTP request data |
| CVE-2026-47139 |
unknown |
— |
— |
|
|
|
3h ago |
NodeVM network builtin exclusions bypass via internal _http_client and _http_server |
| CVE-2026-47140 |
unknown |
— |
— |
|
|
|
3h ago |
NodeVM builtin denylist bypass via process and inspector/promises allows host code execution |
| CVE-2026-47210 |
unknown |
— |
— |
|
|
|
4h ago |
vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass |
| CVE-2026-47137 |
unknown |
— |
— |
|
|
|
4h ago |
vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE |
| CVE-2026-47209 |
unknown |
— |
— |
|
|
|
4h ago |
vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain |
| CVE-2026-47135 |
unknown |
— |
— |
|
|
|
4h ago |
vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks |
| CVE-2026-47208 |
unknown |
— |
— |
|
|
|
4h ago |
vm2 is Vulnerable to Sandbox Breakout Through Promise Species |
| CVE-2026-47131 |
unknown |
— |
— |
|
|
|
4h ago |
vm2 has a Sandbox Escape issue |