{"url":"http://public2.vulnerablecode.io/api/packages/41719?format=json","purl":"pkg:npm/vm2@3.11.3","type":"npm","namespace":"","name":"vm2","version":"3.11.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.11.4","latest_non_vulnerable_version":"3.11.4","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213091?format=json","vulnerability_id":"VCID-8au2-j7az-byfp","summary":"NodeVM network builtin exclusions bypass via internal _http_client and _http_server","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47139","reference_id":"","reference_type":"","scores":[{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16772","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47139"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/436053e30eecbabd487e2fd2959c137ac34e2bb1","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-12T16:07:30Z/"}],"url":"https://github.com/patriksimek/vm2/commit/436053e30eecbabd487e2fd2959c137ac34e2bb1"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-12T16:07:30Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47139","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47139"},{"reference_url":"https://github.com/advisories/GHSA-r9pm-gxmw-wv6p","reference_id":"GHSA-r9pm-gxmw-wv6p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r9pm-gxmw-wv6p"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-r9pm-gxmw-wv6p","reference_id":"GHSA-r9pm-gxmw-wv6p","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-12T16:07:30Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-r9pm-gxmw-wv6p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41720?format=json","purl":"pkg:npm/vm2@3.11.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.4"}],"aliases":["CVE-2026-47139","GHSA-r9pm-gxmw-wv6p"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8au2-j7az-byfp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213084?format=json","vulnerability_id":"VCID-c1qf-rxjq-p7hr","summary":"vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter","references":[{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/ad31adc1fc4a2c163f2f8c11ab4af206074528fd","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/commit/ad31adc1fc4a2c163f2f8c11ab4af206074528fd"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4"},{"reference_url":"https://github.com/advisories/GHSA-q3fm-4wcw-g57x","reference_id":"GHSA-q3fm-4wcw-g57x","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q3fm-4wcw-g57x"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-q3fm-4wcw-g57x","reference_id":"GHSA-q3fm-4wcw-g57x","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-q3fm-4wcw-g57x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41720?format=json","purl":"pkg:npm/vm2@3.11.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.4"}],"aliases":["GHSA-q3fm-4wcw-g57x"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c1qf-rxjq-p7hr"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213085?format=json","vulnerability_id":"VCID-cb3t-tejn-2fcn","summary":"vm2 is Vulnerable to Sandbox Breakout Through Promise Species","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47208","reference_id":"","reference_type":"","scores":[{"value":"0.00471","scoring_system":"epss","scoring_elements":"0.65184","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47208"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/a462655009669c3124ee39498121651597529ea8","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T15:08:35Z/"}],"url":"https://github.com/patriksimek/vm2/commit/a462655009669c3124ee39498121651597529ea8"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T15:08:35Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47208","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47208"},{"reference_url":"https://github.com/advisories/GHSA-76w7-j9cq-rx2j","reference_id":"GHSA-76w7-j9cq-rx2j","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-76w7-j9cq-rx2j"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-76w7-j9cq-rx2j","reference_id":"GHSA-76w7-j9cq-rx2j","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T15:08:35Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-76w7-j9cq-rx2j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41720?format=json","purl":"pkg:npm/vm2@3.11.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.4"}],"aliases":["CVE-2026-47208","GHSA-76w7-j9cq-rx2j"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cb3t-tejn-2fcn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213089?format=json","vulnerability_id":"VCID-ecr5-kq87-2uez","summary":"vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47210","reference_id":"","reference_type":"","scores":[{"value":"0.00109","scoring_system":"epss","scoring_elements":"0.28992","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47210"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/6915fa4d9bcebd47b9a4f39a1adc1aa94ef6ffc6","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T16:02:57Z/"}],"url":"https://github.com/patriksimek/vm2/commit/6915fa4d9bcebd47b9a4f39a1adc1aa94ef6ffc6"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T16:02:57Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47210","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47210"},{"reference_url":"https://github.com/advisories/GHSA-6j2x-vhqr-qr7q","reference_id":"GHSA-6j2x-vhqr-qr7q","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6j2x-vhqr-qr7q"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-6j2x-vhqr-qr7q","reference_id":"GHSA-6j2x-vhqr-qr7q","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T16:02:57Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-6j2x-vhqr-qr7q"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41720?format=json","purl":"pkg:npm/vm2@3.11.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.4"}],"aliases":["CVE-2026-47210","GHSA-6j2x-vhqr-qr7q"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ecr5-kq87-2uez"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213090?format=json","vulnerability_id":"VCID-etxy-bh6c-zbdv","summary":"NodeVM builtin denylist bypass via process and inspector/promises allows host code execution","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47140","reference_id":"","reference_type":"","scores":[{"value":"0.00134","scoring_system":"epss","scoring_elements":"0.33249","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47140"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T16:38:46Z/"}],"url":"https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T16:38:46Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47140","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47140"},{"reference_url":"https://github.com/advisories/GHSA-rp36-8xq3-r6c4","reference_id":"GHSA-rp36-8xq3-r6c4","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rp36-8xq3-r6c4"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4","reference_id":"GHSA-rp36-8xq3-r6c4","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T16:38:46Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41720?format=json","purl":"pkg:npm/vm2@3.11.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.4"}],"aliases":["CVE-2026-47140","GHSA-rp36-8xq3-r6c4"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-etxy-bh6c-zbdv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213087?format=json","vulnerability_id":"VCID-kv67-9wty-p3hc","summary":"vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47209","reference_id":"","reference_type":"","scores":[{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15915","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47209"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/26d0318b5e6555be4b187ba05d6cf378ccecfe22","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-12T15:00:52Z/"}],"url":"https://github.com/patriksimek/vm2/commit/26d0318b5e6555be4b187ba05d6cf378ccecfe22"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-12T15:00:52Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47209","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47209"},{"reference_url":"https://github.com/advisories/GHSA-c4cf-2hgv-2qv6","reference_id":"GHSA-c4cf-2hgv-2qv6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c4cf-2hgv-2qv6"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-c4cf-2hgv-2qv6","reference_id":"GHSA-c4cf-2hgv-2qv6","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-12T15:00:52Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-c4cf-2hgv-2qv6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41720?format=json","purl":"pkg:npm/vm2@3.11.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.4"}],"aliases":["CVE-2026-47209","GHSA-c4cf-2hgv-2qv6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kv67-9wty-p3hc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213086?format=json","vulnerability_id":"VCID-r9rx-mrvp-97br","summary":"vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47135","reference_id":"","reference_type":"","scores":[{"value":"0.00071","scoring_system":"epss","scoring_elements":"0.21913","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47135"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/928aef51898b5c52a05f05a40c4cfeb52e172878","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-06-12T15:07:51Z/"}],"url":"https://github.com/patriksimek/vm2/commit/928aef51898b5c52a05f05a40c4cfeb52e172878"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-06-12T15:07:51Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47135","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47135"},{"reference_url":"https://github.com/advisories/GHSA-m5q2-4fm3-vfqp","reference_id":"GHSA-m5q2-4fm3-vfqp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m5q2-4fm3-vfqp"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-m5q2-4fm3-vfqp","reference_id":"GHSA-m5q2-4fm3-vfqp","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-06-12T15:07:51Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-m5q2-4fm3-vfqp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41720?format=json","purl":"pkg:npm/vm2@3.11.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.4"}],"aliases":["CVE-2026-47135","GHSA-m5q2-4fm3-vfqp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r9rx-mrvp-97br"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213092?format=json","vulnerability_id":"VCID-sxnb-dxuh-hfbt","summary":"NodeVM observability builtins leak host process and HTTP request data","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47141","reference_id":"","reference_type":"","scores":[{"value":"0.00084","scoring_system":"epss","scoring_elements":"0.24647","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47141"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/e1c48fce05189f48e71efbd32af0754efa4066bb","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-13T03:08:58Z/"}],"url":"https://github.com/patriksimek/vm2/commit/e1c48fce05189f48e71efbd32af0754efa4066bb"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-13T03:08:58Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47141","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47141"},{"reference_url":"https://github.com/advisories/GHSA-9g8x-92q2-p28f","reference_id":"GHSA-9g8x-92q2-p28f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9g8x-92q2-p28f"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-9g8x-92q2-p28f","reference_id":"GHSA-9g8x-92q2-p28f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-13T03:08:58Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-9g8x-92q2-p28f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41720?format=json","purl":"pkg:npm/vm2@3.11.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.4"}],"aliases":["CVE-2026-47141","GHSA-9g8x-92q2-p28f"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sxnb-dxuh-hfbt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213088?format=json","vulnerability_id":"VCID-tdv8-2vye-cyaw","summary":"vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47137","reference_id":"","reference_type":"","scores":[{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45286","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47137"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T14:58:42Z/"}],"url":"https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568"},{"reference_url":"https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T14:58:42Z/"}],"url":"https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T14:58:42Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47137","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47137"},{"reference_url":"https://github.com/advisories/GHSA-g644-9gfx-q4q4","reference_id":"GHSA-g644-9gfx-q4q4","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T14:58:42Z/"}],"url":"https://github.com/advisories/GHSA-g644-9gfx-q4q4"},{"reference_url":"https://github.com/advisories/GHSA-m4wx-m65x-ghrr","reference_id":"GHSA-m4wx-m65x-ghrr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m4wx-m65x-ghrr"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr","reference_id":"GHSA-m4wx-m65x-ghrr","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T14:58:42Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41720?format=json","purl":"pkg:npm/vm2@3.11.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.4"}],"aliases":["CVE-2026-47137","GHSA-m4wx-m65x-ghrr"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tdv8-2vye-cyaw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/213083?format=json","vulnerability_id":"VCID-yg7p-bmb4-8fg7","summary":"vm2 has a Sandbox Escape issue","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47131","reference_id":"","reference_type":"","scores":[{"value":"0.00068","scoring_system":"epss","scoring_elements":"0.21221","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-47131"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/27c525f4615e2b983f122e2bed327d810126f5c8","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-13T03:06:23Z/"}],"url":"https://github.com/patriksimek/vm2/commit/27c525f4615e2b983f122e2bed327d810126f5c8"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4","reference_id":"","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-13T03:06:23Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47131","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47131"},{"reference_url":"https://github.com/advisories/GHSA-v6mx-mf47-r5wg","reference_id":"GHSA-v6mx-mf47-r5wg","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v6mx-mf47-r5wg"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-v6mx-mf47-r5wg","reference_id":"GHSA-v6mx-mf47-r5wg","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-13T03:06:23Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-v6mx-mf47-r5wg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41720?format=json","purl":"pkg:npm/vm2@3.11.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.4"}],"aliases":["CVE-2026-47131","GHSA-v6mx-mf47-r5wg"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yg7p-bmb4-8fg7"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69768?format=json","vulnerability_id":"VCID-598j-pe72-qkh3","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call will be caught by the runtime and passed to the yield* iterator as the next value. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45411","reference_id":"","reference_type":"","scores":[{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24183","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.23987","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45411"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/093494c0c3ef2390d2e56909f9d56e290e6f18b0","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/commit/093494c0c3ef2390d2e56909f9d56e290e6f18b0"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.3","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45411","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45411"},{"reference_url":"https://github.com/advisories/GHSA-248r-7h7q-cr24","reference_id":"GHSA-248r-7h7q-cr24","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-248r-7h7q-cr24"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24","reference_id":"GHSA-248r-7h7q-cr24","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-13T18:06:42Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41719?format=json","purl":"pkg:npm/vm2@3.11.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8au2-j7az-byfp"},{"vulnerability":"VCID-c1qf-rxjq-p7hr"},{"vulnerability":"VCID-cb3t-tejn-2fcn"},{"vulnerability":"VCID-ecr5-kq87-2uez"},{"vulnerability":"VCID-etxy-bh6c-zbdv"},{"vulnerability":"VCID-kv67-9wty-p3hc"},{"vulnerability":"VCID-r9rx-mrvp-97br"},{"vulnerability":"VCID-sxnb-dxuh-hfbt"},{"vulnerability":"VCID-tdv8-2vye-cyaw"},{"vulnerability":"VCID-yg7p-bmb4-8fg7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.3"}],"aliases":["CVE-2026-45411","GHSA-248r-7h7q-cr24"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-598j-pe72-qkh3"}],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.3"}