The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set method. Exploiting this vulnerability leads to access to a host object and a sandbox compromise.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVm2 Project Vm2
APPVm2 Project< 3.9.10
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
References
Related vulnerabilities
CVE-2026-44005CRITICAL10.0PL ✓ten sam produkt
vm2: mutacja prototypów hosta z poziomu sandbox (prototype pollution)
CVE-2026-44006CRITICAL10.0PL ✓ten sam produkt
vm2 (Node.js): ucieczka z sandbox przez BaseHandler.getPrototypeOf (RCE)
CVE-2026-43997CRITICAL10.0PL ✓ten sam produkt
Ucieczka z sandboxa w bibliotece vm2 dla Node.js (RCE)
CVE-2026-43999CRITICAL9.9PL ✓ten sam produkt
vm2: ominięcie listy dozwolonych modułów i RCE przez builtin 'module'
CVE-2026-44007CRITICAL9.1PL ✓ten sam produkt
vm2 (Node.js): ucieczka z sandbox przez zagnieżdżony NodeVM (RCE)