{"url":"http://public2.vulnerablecode.io/api/packages/519088?format=json","purl":"pkg:npm/vm2@3.6.10","type":"npm","namespace":"","name":"vm2","version":"3.6.10","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.11.4","latest_non_vulnerable_version":"3.11.4","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/208135?format=json","vulnerability_id":"VCID-3srt-uk7n-xqcw","summary":"Sandbox bypass in vm2","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23555.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-23555.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23555","reference_id":"","reference_type":"","scores":[{"value":"0.01104","scoring_system":"epss","scoring_elements":"0.78559","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01104","scoring_system":"epss","scoring_elements":"0.78493","published_at":"2026-06-11T12:55:00Z"},{"value":"0.01104","scoring_system":"epss","scoring_elements":"0.78572","published_at":"2026-06-14T12:55:00Z"},{"value":"0.01104","scoring_system":"epss","scoring_elements":"0.78577","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23555"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/commit/532120d5cdec7da8225fc6242e154ebabc63fe4d"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-VM2-2309905","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-VM2-2309905"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2054114","reference_id":"2054114","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2054114"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23555","reference_id":"CVE-2021-23555","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23555"},{"reference_url":"https://github.com/advisories/GHSA-6pw2-5hjv-9pf7","reference_id":"GHSA-6pw2-5hjv-9pf7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6pw2-5hjv-9pf7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19330?format=json","purl":"pkg:npm/vm2@3.9.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-55dr-v6ew-s3e8"},{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-6fr8-3aqn-wyce"},{"vulnerability":"VCID-6n7e-fz65-jfds"},{"vulnerability":"VCID-77zs-22q5-d7ev"},{"vulnerability":"VCID-8he7-t256-1yct"},{"vulnerability":"VCID-8pe8-9mh9-27f3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-bcct-j6mk-z7hu"},{"vulnerability":"VCID-ct4r-vjm4-4qby"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-gbh7-h2ek-hqgg"},{"vulnerability":"VCID-gvhg-db7k-57ey"},{"vulnerability":"VCID-hb4z-qz2p-rqc5"},{"vulnerability":"VCID-k9q9-7mgb-rbbf"},{"vulnerability":"VCID-kjca-h5yw-cudv"},{"vulnerability":"VCID-mqs7-x7bh-17ef"},{"vulnerability":"VCID-nkcm-wcbb-quhs"},{"vulnerability":"VCID-pucd-5ym9-1bc8"},{"vulnerability":"VCID-rm74-p6v5-wkbj"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"},{"vulnerability":"VCID-ua6c-rrsj-2kg6"},{"vulnerability":"VCID-vj51-w2rv-6qgu"},{"vulnerability":"VCID-vsvp-q6bs-3qau"},{"vulnerability":"VCID-vwem-gghh-t7hc"},{"vulnerability":"VCID-w13m-snrt-5ud3"},{"vulnerability":"VCID-wm49-3agn-rffg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.6"}],"aliases":["CVE-2021-23555","GHSA-6pw2-5hjv-9pf7"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3srt-uk7n-xqcw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67986?format=json","vulnerability_id":"VCID-55dr-v6ew-s3e8","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44006","reference_id":"","reference_type":"","scores":[{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19606","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19433","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00061","scoring_system":"epss","scoring_elements":"0.19627","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00067","scoring_system":"epss","scoring_elements":"0.21055","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44006"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/blob/408fc855f1cc1bbc2985b029465ee0e732ada433/lib/bridge.js#L655-L658"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44006","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44006"},{"reference_url":"https://github.com/advisories/GHSA-qcp4-v2jj-fjx8","reference_id":"GHSA-qcp4-v2jj-fjx8","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qcp4-v2jj-fjx8"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-qcp4-v2jj-fjx8","reference_id":"GHSA-qcp4-v2jj-fjx8","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-13T18:09:17Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-qcp4-v2jj-fjx8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375381?format=json","purl":"pkg:npm/vm2@3.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0"}],"aliases":["CVE-2026-44006","GHSA-qcp4-v2jj-fjx8"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-55dr-v6ew-s3e8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/69768?format=json","vulnerability_id":"VCID-598j-pe72-qkh3","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call will be caught by the runtime and passed to the yield* iterator as the next value. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45411","reference_id":"","reference_type":"","scores":[{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24192","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.23987","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24183","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00089","scoring_system":"epss","scoring_elements":"0.25545","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45411"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/093494c0c3ef2390d2e56909f9d56e290e6f18b0","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/commit/093494c0c3ef2390d2e56909f9d56e290e6f18b0"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.3","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45411","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45411"},{"reference_url":"https://github.com/advisories/GHSA-248r-7h7q-cr24","reference_id":"GHSA-248r-7h7q-cr24","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-248r-7h7q-cr24"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24","reference_id":"GHSA-248r-7h7q-cr24","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-13T18:06:42Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/41719?format=json","purl":"pkg:npm/vm2@3.11.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8au2-j7az-byfp"},{"vulnerability":"VCID-c1qf-rxjq-p7hr"},{"vulnerability":"VCID-cb3t-tejn-2fcn"},{"vulnerability":"VCID-ecr5-kq87-2uez"},{"vulnerability":"VCID-etxy-bh6c-zbdv"},{"vulnerability":"VCID-kv67-9wty-p3hc"},{"vulnerability":"VCID-r9rx-mrvp-97br"},{"vulnerability":"VCID-sxnb-dxuh-hfbt"},{"vulnerability":"VCID-tdv8-2vye-cyaw"},{"vulnerability":"VCID-yg7p-bmb4-8fg7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.3"}],"aliases":["CVE-2026-45411","GHSA-248r-7h7q-cr24"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-598j-pe72-qkh3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/211032?format=json","vulnerability_id":"VCID-5xbq-86wn-77c4","summary":"vm2 before 3.6.11 vulnerable to sandbox escape","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10761","reference_id":"","reference_type":"","scores":[{"value":"0.00818","scoring_system":"epss","scoring_elements":"0.74789","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00818","scoring_system":"epss","scoring_elements":"0.7487","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00818","scoring_system":"epss","scoring_elements":"0.74873","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00818","scoring_system":"epss","scoring_elements":"0.7486","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-10761"},{"reference_url":"https://gist.github.com/JLLeitschuh/609bb2efaff22ed84fe182cf574c023a","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gist.github.com/JLLeitschuh/609bb2efaff22ed84fe182cf574c023a"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/4b22d704e4794af63a5a2d633385fd20948f6f90","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/commit/4b22d704e4794af63a5a2d633385fd20948f6f90"},{"reference_url":"https://github.com/patriksimek/vm2/issues/197","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/issues/197"},{"reference_url":"https://github.com/patriksimek/vm2/issues/197#issuecomment-480643832","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/issues/197#issuecomment-480643832"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-VM2-473188","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-VM2-473188"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10761","reference_id":"CVE-2019-10761","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10761"},{"reference_url":"https://github.com/advisories/GHSA-wf5x-cr3r-xr77","reference_id":"GHSA-wf5x-cr3r-xr77","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wf5x-cr3r-xr77"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/25326?format=json","purl":"pkg:npm/vm2@3.6.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3srt-uk7n-xqcw"},{"vulnerability":"VCID-55dr-v6ew-s3e8"},{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-6fr8-3aqn-wyce"},{"vulnerability":"VCID-6n7e-fz65-jfds"},{"vulnerability":"VCID-77zs-22q5-d7ev"},{"vulnerability":"VCID-8he7-t256-1yct"},{"vulnerability":"VCID-8pe8-9mh9-27f3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-bcct-j6mk-z7hu"},{"vulnerability":"VCID-ct4r-vjm4-4qby"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-gvhg-db7k-57ey"},{"vulnerability":"VCID-hb4z-qz2p-rqc5"},{"vulnerability":"VCID-k9q9-7mgb-rbbf"},{"vulnerability":"VCID-kjca-h5yw-cudv"},{"vulnerability":"VCID-mqs7-x7bh-17ef"},{"vulnerability":"VCID-nkcm-wcbb-quhs"},{"vulnerability":"VCID-pucd-5ym9-1bc8"},{"vulnerability":"VCID-qsyb-rkff-wyht"},{"vulnerability":"VCID-rm74-p6v5-wkbj"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"},{"vulnerability":"VCID-ua6c-rrsj-2kg6"},{"vulnerability":"VCID-vj51-w2rv-6qgu"},{"vulnerability":"VCID-vsvp-q6bs-3qau"},{"vulnerability":"VCID-vwem-gghh-t7hc"},{"vulnerability":"VCID-w13m-snrt-5ud3"},{"vulnerability":"VCID-wm49-3agn-rffg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.6.11"}],"aliases":["CVE-2019-10761","GHSA-wf5x-cr3r-xr77"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5xbq-86wn-77c4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65489?format=json","vulnerability_id":"VCID-6fr8-3aqn-wyce","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43997","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06381","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06391","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06402","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00024","scoring_system":"epss","scoring_elements":"0.07003","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-43997"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43997","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43997"},{"reference_url":"https://github.com/advisories/GHSA-47x8-96vw-5wg6","reference_id":"GHSA-47x8-96vw-5wg6","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-47x8-96vw-5wg6"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6","reference_id":"GHSA-47x8-96vw-5wg6","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-13T18:39:53Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375381?format=json","purl":"pkg:npm/vm2@3.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0"}],"aliases":["CVE-2026-43997","GHSA-47x8-96vw-5wg6"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6fr8-3aqn-wyce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/356249?format=json","vulnerability_id":"VCID-6n7e-fz65-jfds","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37903.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37903.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37903","reference_id":"","reference_type":"","scores":[{"value":"0.39507","scoring_system":"epss","scoring_elements":"0.97403","published_at":"2026-06-12T12:55:00Z"},{"value":"0.39507","scoring_system":"epss","scoring_elements":"0.97406","published_at":"2026-06-14T12:55:00Z"},{"value":"0.39507","scoring_system":"epss","scoring_elements":"0.97405","published_at":"2026-06-13T12:55:00Z"},{"value":"0.40092","scoring_system":"epss","scoring_elements":"0.97429","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37903"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37903","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37903"},{"reference_url":"https://security.netapp.com/advisory/ntap-20230831-0007","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20230831-0007"},{"reference_url":"https://security.netapp.com/advisory/ntap-20241108-0002","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20241108-0002"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2224969","reference_id":"2224969","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2224969"},{"reference_url":"https://github.com/advisories/GHSA-g644-9gfx-q4q4","reference_id":"GHSA-g644-9gfx-q4q4","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-g644-9gfx-q4q4"}],"fixed_packages":[],"aliases":["CVE-2023-37903","GHSA-g644-9gfx-q4q4"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6n7e-fz65-jfds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/68045?format=json","vulnerability_id":"VCID-77zs-22q5-d7ev","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox boundary violation in vm2 allows host object identity to cross into the sandbox through host Promise resolution. When a host-side Promise that resolves to a host object is exposed to the sandbox, the value delivered to the sandbox .then() callback preserves host identity. This allows the sandbox to interact with the host object directly, including performing identity checks using host-side WeakMap and mutating host object state from inside the sandbox. This behavior occurs because the Promise fulfillment wrapper uses ensureThis() instead of the stronger cross-realm conversion path (from() / proxy wrapping). If no prototype mapping is found, ensureThis() returns the original object. As a result, objects resolved by host Promises can cross the sandbox boundary without proper isolation. This vulnerability is fixed in 3.11.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44000","reference_id":"","reference_type":"","scores":[{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14887","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.15006","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.15008","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.16396","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44000"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44000","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44000"},{"reference_url":"https://github.com/advisories/GHSA-mpf8-4hx2-7cjg","reference_id":"GHSA-mpf8-4hx2-7cjg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mpf8-4hx2-7cjg"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-mpf8-4hx2-7cjg","reference_id":"GHSA-mpf8-4hx2-7cjg","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:20:50Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-mpf8-4hx2-7cjg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375381?format=json","purl":"pkg:npm/vm2@3.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0"}],"aliases":["CVE-2026-44000","GHSA-mpf8-4hx2-7cjg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-77zs-22q5-d7ev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/82746?format=json","vulnerability_id":"VCID-8he7-t256-1yct","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24781.json","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24781.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24781","reference_id":"","reference_type":"","scores":[{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40422","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40433","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40243","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00186","scoring_system":"epss","scoring_elements":"0.40411","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24781"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24781","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24781"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2466531","reference_id":"2466531","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2466531"},{"reference_url":"https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189","reference_id":"8d30d93213c1898b3e035298b89a814970dd1189","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T17:13:58Z/"}],"url":"https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189"},{"reference_url":"https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c","reference_id":"bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T17:13:58Z/"}],"url":"https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c"},{"reference_url":"https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228","reference_id":"fd266d084e0a3322d0f71ba2a8dc4c96cd030228","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T17:13:58Z/"}],"url":"https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228"},{"reference_url":"https://github.com/advisories/GHSA-v37h-5mfm-c47c","reference_id":"GHSA-v37h-5mfm-c47c","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v37h-5mfm-c47c"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c","reference_id":"GHSA-v37h-5mfm-c47c","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T17:13:58Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.0","reference_id":"v3.11.0","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T17:13:58Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375381?format=json","purl":"pkg:npm/vm2@3.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0"}],"aliases":["CVE-2026-24781","GHSA-v37h-5mfm-c47c"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8he7-t256-1yct"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67728?format=json","vulnerability_id":"VCID-8pe8-9mh9-27f3","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL variable, which exposes internal security functions (handleException, wrapWith, import). This vulnerability is fixed in 3.11.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44003","reference_id":"","reference_type":"","scores":[{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.1589","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15743","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00049","scoring_system":"epss","scoring_elements":"0.15881","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17304","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44003"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44003","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44003"},{"reference_url":"https://github.com/advisories/GHSA-wp5r-2gw5-m7q7","reference_id":"GHSA-wp5r-2gw5-m7q7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wp5r-2gw5-m7q7"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7","reference_id":"GHSA-wp5r-2gw5-m7q7","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:40:49Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375381?format=json","purl":"pkg:npm/vm2@3.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0"}],"aliases":["CVE-2026-44003","GHSA-wp5r-2gw5-m7q7"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8pe8-9mh9-27f3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67806?format=json","vulnerability_id":"VCID-8zk3-a7sw-u7an","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2,  This vulnerability is fixed in 3.11.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44009","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05768","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05752","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05777","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.0633","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44009"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44009","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44009"},{"reference_url":"https://github.com/advisories/GHSA-9vg3-4rfj-wgcm","reference_id":"GHSA-9vg3-4rfj-wgcm","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9vg3-4rfj-wgcm"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-9vg3-4rfj-wgcm","reference_id":"GHSA-9vg3-4rfj-wgcm","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-13T18:41:46Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-9vg3-4rfj-wgcm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375365?format=json","purl":"pkg:npm/vm2@3.11.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-598j-pe72-qkh3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.2"}],"aliases":["CVE-2026-44009","GHSA-9vg3-4rfj-wgcm"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8zk3-a7sw-u7an"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67682?format=json","vulnerability_id":"VCID-bcct-j6mk-z7hu","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2's timeout option cannot interrupt it. A single request can exhaust host memory and crash the process with a FATAL ERROR: Reached heap limit. This vulnerability is fixed in 3.11.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44004","reference_id":"","reference_type":"","scores":[{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16892","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16741","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16906","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00057","scoring_system":"epss","scoring_elements":"0.18309","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44004"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44004","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44004"},{"reference_url":"https://github.com/advisories/GHSA-6785-pvv7-mvg7","reference_id":"GHSA-6785-pvv7-mvg7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6785-pvv7-mvg7"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-6785-pvv7-mvg7","reference_id":"GHSA-6785-pvv7-mvg7","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T18:07:58Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-6785-pvv7-mvg7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375381?format=json","purl":"pkg:npm/vm2@3.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0"}],"aliases":["CVE-2026-44004","GHSA-6785-pvv7-mvg7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bcct-j6mk-z7hu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/166970?format=json","vulnerability_id":"VCID-ct4r-vjm4-4qby","summary":"vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36067.json","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-36067.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-36067","reference_id":"","reference_type":"","scores":[{"value":"0.84468","scoring_system":"epss","scoring_elements":"0.99346","published_at":"2026-06-14T12:55:00Z"},{"value":"0.84468","scoring_system":"epss","scoring_elements":"0.99347","published_at":"2026-06-13T12:55:00Z"},{"value":"0.84468","scoring_system":"epss","scoring_elements":"0.99344","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-36067"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://security.netapp.com/advisory/ntap-20221017-0002","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20221017-0002"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2124794","reference_id":"2124794","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2124794"},{"reference_url":"https://github.com/patriksimek/vm2/issues/467","reference_id":"467","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/"}],"url":"https://github.com/patriksimek/vm2/issues/467"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36067","reference_id":"CVE-2022-36067","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36067"},{"reference_url":"https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164","reference_id":"d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/"}],"url":"https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164"},{"reference_url":"https://github.com/advisories/GHSA-mrgp-mrhc-5jrq","reference_id":"GHSA-mrgp-mrhc-5jrq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mrgp-mrhc-5jrq"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq","reference_id":"GHSA-mrgp-mrhc-5jrq","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-mrgp-mrhc-5jrq"},{"reference_url":"https://security.netapp.com/advisory/ntap-20221017-0002/","reference_id":"ntap-20221017-0002","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/"}],"url":"https://security.netapp.com/advisory/ntap-20221017-0002/"},{"reference_url":"https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71","reference_id":"setup-sandbox.js#L71","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/"}],"url":"https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71"},{"reference_url":"https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067","reference_id":"vm2-sandbreak-vulnerability-cve-2022-36067","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:37:00Z/"}],"url":"https://www.oxeye.io/blog/vm2-sandbreak-vulnerability-cve-2022-36067"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/27148?format=json","purl":"pkg:npm/vm2@3.9.11","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-55dr-v6ew-s3e8"},{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-6fr8-3aqn-wyce"},{"vulnerability":"VCID-6n7e-fz65-jfds"},{"vulnerability":"VCID-77zs-22q5-d7ev"},{"vulnerability":"VCID-8he7-t256-1yct"},{"vulnerability":"VCID-8pe8-9mh9-27f3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-bcct-j6mk-z7hu"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-gbh7-h2ek-hqgg"},{"vulnerability":"VCID-gvhg-db7k-57ey"},{"vulnerability":"VCID-hb4z-qz2p-rqc5"},{"vulnerability":"VCID-k9q9-7mgb-rbbf"},{"vulnerability":"VCID-kjca-h5yw-cudv"},{"vulnerability":"VCID-mqs7-x7bh-17ef"},{"vulnerability":"VCID-nkcm-wcbb-quhs"},{"vulnerability":"VCID-pucd-5ym9-1bc8"},{"vulnerability":"VCID-rm74-p6v5-wkbj"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"},{"vulnerability":"VCID-ua6c-rrsj-2kg6"},{"vulnerability":"VCID-vj51-w2rv-6qgu"},{"vulnerability":"VCID-vwem-gghh-t7hc"},{"vulnerability":"VCID-w13m-snrt-5ud3"},{"vulnerability":"VCID-wm49-3agn-rffg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.11"}],"aliases":["CVE-2022-36067","GHSA-mrgp-mrhc-5jrq"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ct4r-vjm4-4qby"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67932?format=json","vulnerability_id":"VCID-g93v-7a6d-5bfm","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44008","reference_id":"","reference_type":"","scores":[{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24192","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.23987","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00082","scoring_system":"epss","scoring_elements":"0.24183","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00089","scoring_system":"epss","scoring_elements":"0.25545","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44008"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44008","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44008"},{"reference_url":"https://github.com/advisories/GHSA-9qj6-qjgg-37qq","reference_id":"GHSA-9qj6-qjgg-37qq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9qj6-qjgg-37qq"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-9qj6-qjgg-37qq","reference_id":"GHSA-9qj6-qjgg-37qq","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-14T18:21:34Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-9qj6-qjgg-37qq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375365?format=json","purl":"pkg:npm/vm2@3.11.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-598j-pe72-qkh3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.2"}],"aliases":["CVE-2026-44008","GHSA-9qj6-qjgg-37qq"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g93v-7a6d-5bfm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70820?format=json","vulnerability_id":"VCID-gvhg-db7k-57ey","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26332.json","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26332.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-26332","reference_id":"","reference_type":"","scores":[{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25392","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25406","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25389","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00088","scoring_system":"epss","scoring_elements":"0.25191","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-26332"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/119fd0aa1e4c27b08cf37946b2dafa99e2c754f0","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/commit/119fd0aa1e4c27b08cf37946b2dafa99e2c754f0"},{"reference_url":"https://github.com/patriksimek/vm2/commit/4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/commit/4cb82cc94d9bb6c9a918b45f8c6790c32a5e913f"},{"reference_url":"https://github.com/patriksimek/vm2/commit/7395c3a4b01d302e55271c87dbeb44d6b83b81ca","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/commit/7395c3a4b01d302e55271c87dbeb44d6b83b81ca"},{"reference_url":"https://github.com/patriksimek/vm2/commit/792e16d56ee429ab19e284ed9c545f5e4694fb7d","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/commit/792e16d56ee429ab19e284ed9c545f5e4694fb7d"},{"reference_url":"https://github.com/patriksimek/vm2/commit/d715dd88c5aec5bbb4dce03ddf7c3eb3791d0338","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/commit/d715dd88c5aec5bbb4dce03ddf7c3eb3791d0338"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26332","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26332"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2466508","reference_id":"2466508","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2466508"},{"reference_url":"https://github.com/advisories/GHSA-55hx-c926-fr95","reference_id":"GHSA-55hx-c926-fr95","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-55hx-c926-fr95"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95","reference_id":"GHSA-55hx-c926-fr95","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T19:06:32Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.0","reference_id":"v3.11.0","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T19:06:32Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375381?format=json","purl":"pkg:npm/vm2@3.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0"}],"aliases":["CVE-2026-26332","GHSA-55hx-c926-fr95"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gvhg-db7k-57ey"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67951?format=json","vulnerability_id":"VCID-hb4z-qz2p-rqc5","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 (v3.10.2) only sanitized the onRejected callback in .then() and .catch() overrides and did not address the executor-to-unhandledRejection path. This vulnerability is fixed in 3.11.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44001","reference_id":"","reference_type":"","scores":[{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16892","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16741","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16906","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00057","scoring_system":"epss","scoring_elements":"0.18309","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44001"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44001","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44001"},{"reference_url":"https://github.com/advisories/GHSA-99p7-6v5w-7xg8","reference_id":"GHSA-99p7-6v5w-7xg8","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-99p7-6v5w-7xg8"},{"reference_url":"https://github.com/advisories/GHSA-hw58-p9xv-2mjh","reference_id":"GHSA-hw58-p9xv-2mjh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hw58-p9xv-2mjh"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjh","reference_id":"GHSA-hw58-p9xv-2mjh","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-18T15:16:50Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375381?format=json","purl":"pkg:npm/vm2@3.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0"}],"aliases":["CVE-2026-44001","GHSA-hw58-p9xv-2mjh"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hb4z-qz2p-rqc5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/71039?format=json","vulnerability_id":"VCID-k9q9-7mgb-rbbf","summary":"vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26956.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26956.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-26956","reference_id":"","reference_type":"","scores":[{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32075","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32096","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.31893","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32079","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-26956"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26956","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26956"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2466548","reference_id":"2466548","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2466548"},{"reference_url":"https://github.com/advisories/GHSA-ffh4-j6h5-pg66","reference_id":"GHSA-ffh4-j6h5-pg66","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ffh4-j6h5-pg66"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66","reference_id":"GHSA-ffh4-j6h5-pg66","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-05T13:09:59Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.10.5","reference_id":"v3.10.5","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-05T13:09:59Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.10.5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375356?format=json","purl":"pkg:npm/vm2@3.10.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-55dr-v6ew-s3e8"},{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-6fr8-3aqn-wyce"},{"vulnerability":"VCID-77zs-22q5-d7ev"},{"vulnerability":"VCID-88m4-3mra-mqfc"},{"vulnerability":"VCID-8he7-t256-1yct"},{"vulnerability":"VCID-8pe8-9mh9-27f3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-bcct-j6mk-z7hu"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-gbh7-h2ek-hqgg"},{"vulnerability":"VCID-gvhg-db7k-57ey"},{"vulnerability":"VCID-hb4z-qz2p-rqc5"},{"vulnerability":"VCID-kjca-h5yw-cudv"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"},{"vulnerability":"VCID-vwem-gghh-t7hc"},{"vulnerability":"VCID-x2zr-7eqd-m3b7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.10.5"}],"aliases":["CVE-2026-26956","GHSA-ffh4-j6h5-pg66"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k9q9-7mgb-rbbf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/82947?format=json","vulnerability_id":"VCID-kjca-h5yw-cudv","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24118.json","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24118.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24118","reference_id":"","reference_type":"","scores":[{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39156","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.39164","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.38968","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00176","scoring_system":"epss","scoring_elements":"0.3914","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24118"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24118","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24118"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2466502","reference_id":"2466502","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2466502"},{"reference_url":"https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3","reference_id":"2b5f3e3a060d9088f5e1cdd585d683d491f990a3","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T18:24:17Z/"}],"url":"https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3"},{"reference_url":"https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74","reference_id":"f9b700b1c7d9ef2df416666cb24e0b659140cc74","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T18:24:17Z/"}],"url":"https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74"},{"reference_url":"https://github.com/advisories/GHSA-grj5-jjm8-h35p","reference_id":"GHSA-grj5-jjm8-h35p","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-grj5-jjm8-h35p"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p","reference_id":"GHSA-grj5-jjm8-h35p","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T18:24:17Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.0","reference_id":"v3.11.0","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-04T18:24:17Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375381?format=json","purl":"pkg:npm/vm2@3.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0"}],"aliases":["CVE-2026-24118","GHSA-grj5-jjm8-h35p"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kjca-h5yw-cudv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/129987?format=json","vulnerability_id":"VCID-mqs7-x7bh-17ef","summary":"vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception sanitization of vm2 for versions up to 3.9.16, allowing attackers to raise an unsanitized host exception inside `handleException()` which can be used to escape the sandbox and run arbitrary code in host context. This vulnerability was patched in the release of version `3.9.17` of `vm2`. There are no known workarounds for this vulnerability. Users are advised to upgrade.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30547.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-30547.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-30547","reference_id":"","reference_type":"","scores":[{"value":"0.83683","scoring_system":"epss","scoring_elements":"0.99312","published_at":"2026-06-13T12:55:00Z"},{"value":"0.83683","scoring_system":"epss","scoring_elements":"0.99311","published_at":"2026-06-14T12:55:00Z"},{"value":"0.83683","scoring_system":"epss","scoring_elements":"0.99308","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-30547"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/3.9.17","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/releases/tag/3.9.17"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30547","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-30547"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2187608","reference_id":"2187608","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2187608"},{"reference_url":"https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244","reference_id":"381b230b04936dd4d74aaf90cc8bb244","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:29:43Z/"}],"url":"https://gist.github.com/leesh3288/381b230b04936dd4d74aaf90cc8bb244"},{"reference_url":"https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049","reference_id":"4b22e87b102d97d45d112a0931dba1aef7eea049","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:29:43Z/"}],"url":"https://github.com/patriksimek/vm2/commit/4b22e87b102d97d45d112a0931dba1aef7eea049"},{"reference_url":"https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5","reference_id":"f3db4dee4d76b19869df05ba7880d638a880edd5","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:29:43Z/"}],"url":"https://github.com/patriksimek/vm2/commit/f3db4dee4d76b19869df05ba7880d638a880edd5"},{"reference_url":"https://github.com/advisories/GHSA-ch3r-j5x3-6q2m","reference_id":"GHSA-ch3r-j5x3-6q2m","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ch3r-j5x3-6q2m"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m","reference_id":"GHSA-ch3r-j5x3-6q2m","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-05T20:29:43Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-ch3r-j5x3-6q2m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/379377?format=json","purl":"pkg:npm/vm2@3.9.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-55dr-v6ew-s3e8"},{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-6fr8-3aqn-wyce"},{"vulnerability":"VCID-6n7e-fz65-jfds"},{"vulnerability":"VCID-77zs-22q5-d7ev"},{"vulnerability":"VCID-8he7-t256-1yct"},{"vulnerability":"VCID-8pe8-9mh9-27f3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-bcct-j6mk-z7hu"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-gbh7-h2ek-hqgg"},{"vulnerability":"VCID-gvhg-db7k-57ey"},{"vulnerability":"VCID-hb4z-qz2p-rqc5"},{"vulnerability":"VCID-k9q9-7mgb-rbbf"},{"vulnerability":"VCID-kjca-h5yw-cudv"},{"vulnerability":"VCID-nkcm-wcbb-quhs"},{"vulnerability":"VCID-pucd-5ym9-1bc8"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"},{"vulnerability":"VCID-ua6c-rrsj-2kg6"},{"vulnerability":"VCID-vj51-w2rv-6qgu"},{"vulnerability":"VCID-vwem-gghh-t7hc"},{"vulnerability":"VCID-wm49-3agn-rffg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.17"}],"aliases":["CVE-2023-30547","GHSA-ch3r-j5x3-6q2m"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mqs7-x7bh-17ef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83370?format=json","vulnerability_id":"VCID-nkcm-wcbb-quhs","summary":"vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22709","reference_id":"","reference_type":"","scores":[{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17446","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17418","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.1743","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00054","scoring_system":"epss","scoring_elements":"0.17266","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-22709"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29","reference_id":"4b009c2d4b1131c01810c1205e641d614c322a29","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-27T21:42:17Z/"}],"url":"https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22709","reference_id":"CVE-2026-22709","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22709"},{"reference_url":"https://github.com/advisories/GHSA-99p7-6v5w-7xg8","reference_id":"GHSA-99p7-6v5w-7xg8","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-99p7-6v5w-7xg8"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8","reference_id":"GHSA-99p7-6v5w-7xg8","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-27T21:42:17Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.10.2","reference_id":"v3.10.2","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-27T21:42:17Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.10.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38164?format=json","purl":"pkg:npm/vm2@3.10.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-55dr-v6ew-s3e8"},{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-6fr8-3aqn-wyce"},{"vulnerability":"VCID-77zs-22q5-d7ev"},{"vulnerability":"VCID-8he7-t256-1yct"},{"vulnerability":"VCID-8pe8-9mh9-27f3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-bcct-j6mk-z7hu"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-gbh7-h2ek-hqgg"},{"vulnerability":"VCID-gvhg-db7k-57ey"},{"vulnerability":"VCID-hb4z-qz2p-rqc5"},{"vulnerability":"VCID-k9q9-7mgb-rbbf"},{"vulnerability":"VCID-kjca-h5yw-cudv"},{"vulnerability":"VCID-pucd-5ym9-1bc8"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"},{"vulnerability":"VCID-vwem-gghh-t7hc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.10.2"}],"aliases":["CVE-2026-22709","GHSA-99p7-6v5w-7xg8"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nkcm-wcbb-quhs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83213?format=json","vulnerability_id":"VCID-pucd-5ym9-1bc8","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24120.json","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24120.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24120","reference_id":"","reference_type":"","scores":[{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.3201","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.3203","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32014","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.31828","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24120"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24120","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24120"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2466529","reference_id":"2466529","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2466529"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5","reference_id":"GHSA-cchq-frgv-rjh5","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5"},{"reference_url":"https://github.com/advisories/GHSA-qvjj-29qf-hp7p","reference_id":"GHSA-qvjj-29qf-hp7p","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qvjj-29qf-hp7p"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p","reference_id":"GHSA-qvjj-29qf-hp7p","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-05T01:00:04Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.10.5","reference_id":"v3.10.5","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-05T01:00:04Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.10.5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375356?format=json","purl":"pkg:npm/vm2@3.10.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-55dr-v6ew-s3e8"},{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-6fr8-3aqn-wyce"},{"vulnerability":"VCID-77zs-22q5-d7ev"},{"vulnerability":"VCID-88m4-3mra-mqfc"},{"vulnerability":"VCID-8he7-t256-1yct"},{"vulnerability":"VCID-8pe8-9mh9-27f3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-bcct-j6mk-z7hu"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-gbh7-h2ek-hqgg"},{"vulnerability":"VCID-gvhg-db7k-57ey"},{"vulnerability":"VCID-hb4z-qz2p-rqc5"},{"vulnerability":"VCID-kjca-h5yw-cudv"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"},{"vulnerability":"VCID-vwem-gghh-t7hc"},{"vulnerability":"VCID-x2zr-7eqd-m3b7"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.10.5"}],"aliases":["CVE-2026-24120","GHSA-qvjj-29qf-hp7p"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pucd-5ym9-1bc8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/335466?format=json","vulnerability_id":"VCID-qsyb-rkff-wyht","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23449","reference_id":"","reference_type":"","scores":[{"value":"0.02202","scoring_system":"epss","scoring_elements":"0.8479","published_at":"2026-06-11T12:55:00Z"},{"value":"0.02202","scoring_system":"epss","scoring_elements":"0.84843","published_at":"2026-06-14T12:55:00Z"},{"value":"0.02202","scoring_system":"epss","scoring_elements":"0.84851","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-23449"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886"},{"reference_url":"https://github.com/patriksimek/vm2/issues/363","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/issues/363"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/3.9.4","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/releases/tag/3.9.4"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23449","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23449"},{"reference_url":"https://security.netapp.com/advisory/ntap-20211029-0010","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20211029-0010"},{"reference_url":"https://security.netapp.com/advisory/ntap-20211029-0010/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20211029-0010/"},{"reference_url":"https://snyk.io/vuln/SNYK-JS-VM2-1585918","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://snyk.io/vuln/SNYK-JS-VM2-1585918"},{"reference_url":"https://github.com/advisories/GHSA-rjf2-j2r6-q8gr","reference_id":"GHSA-rjf2-j2r6-q8gr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rjf2-j2r6-q8gr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/382270?format=json","purl":"pkg:npm/vm2@3.9.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3srt-uk7n-xqcw"},{"vulnerability":"VCID-55dr-v6ew-s3e8"},{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-6fr8-3aqn-wyce"},{"vulnerability":"VCID-6n7e-fz65-jfds"},{"vulnerability":"VCID-77zs-22q5-d7ev"},{"vulnerability":"VCID-8he7-t256-1yct"},{"vulnerability":"VCID-8pe8-9mh9-27f3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-bcct-j6mk-z7hu"},{"vulnerability":"VCID-ct4r-vjm4-4qby"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-gvhg-db7k-57ey"},{"vulnerability":"VCID-hb4z-qz2p-rqc5"},{"vulnerability":"VCID-k9q9-7mgb-rbbf"},{"vulnerability":"VCID-kjca-h5yw-cudv"},{"vulnerability":"VCID-mqs7-x7bh-17ef"},{"vulnerability":"VCID-nkcm-wcbb-quhs"},{"vulnerability":"VCID-pucd-5ym9-1bc8"},{"vulnerability":"VCID-rm74-p6v5-wkbj"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"},{"vulnerability":"VCID-ua6c-rrsj-2kg6"},{"vulnerability":"VCID-vj51-w2rv-6qgu"},{"vulnerability":"VCID-vsvp-q6bs-3qau"},{"vulnerability":"VCID-vwem-gghh-t7hc"},{"vulnerability":"VCID-w13m-snrt-5ud3"},{"vulnerability":"VCID-wm49-3agn-rffg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.4"}],"aliases":["CVE-2021-23449","GHSA-rjf2-j2r6-q8gr"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qsyb-rkff-wyht"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/140478?format=json","vulnerability_id":"VCID-rm74-p6v5-wkbj","summary":"There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers to bypass `handleException()` and leak unsanitized host exceptions which can be used to escape the sandbox and run arbitrary code in host context. A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.16` of `vm2`.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29199.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29199.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29199","reference_id":"","reference_type":"","scores":[{"value":"0.18512","scoring_system":"epss","scoring_elements":"0.95416","published_at":"2026-06-14T12:55:00Z"},{"value":"0.18512","scoring_system":"epss","scoring_elements":"0.95415","published_at":"2026-06-13T12:55:00Z"},{"value":"0.24972","scoring_system":"epss","scoring_elements":"0.9629","published_at":"2026-06-11T12:55:00Z"},{"value":"0.24972","scoring_system":"epss","scoring_elements":"0.96301","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29199"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29199","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29199"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2187409","reference_id":"2187409","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2187409"},{"reference_url":"https://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7","reference_id":"24c724daa7c09f003e556d7cd1c7a8381cb985d7","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T18:44:31Z/"}],"url":"https://github.com/patriksimek/vm2/commit/24c724daa7c09f003e556d7cd1c7a8381cb985d7"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/3.9.16","reference_id":"3.9.16","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T18:44:31Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/3.9.16"},{"reference_url":"https://github.com/patriksimek/vm2/issues/516","reference_id":"516","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T18:44:31Z/"}],"url":"https://github.com/patriksimek/vm2/issues/516"},{"reference_url":"https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c","reference_id":"f05730165799bf56d70391f3d9ea187c","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T18:44:31Z/"}],"url":"https://gist.github.com/leesh3288/f05730165799bf56d70391f3d9ea187c"},{"reference_url":"https://github.com/advisories/GHSA-xj72-wvfv-8985","reference_id":"GHSA-xj72-wvfv-8985","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xj72-wvfv-8985"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985","reference_id":"GHSA-xj72-wvfv-8985","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-02-06T18:44:31Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-xj72-wvfv-8985"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/379392?format=json","purl":"pkg:npm/vm2@3.9.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-55dr-v6ew-s3e8"},{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-6fr8-3aqn-wyce"},{"vulnerability":"VCID-6n7e-fz65-jfds"},{"vulnerability":"VCID-77zs-22q5-d7ev"},{"vulnerability":"VCID-8he7-t256-1yct"},{"vulnerability":"VCID-8pe8-9mh9-27f3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-bcct-j6mk-z7hu"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-gbh7-h2ek-hqgg"},{"vulnerability":"VCID-gvhg-db7k-57ey"},{"vulnerability":"VCID-hb4z-qz2p-rqc5"},{"vulnerability":"VCID-k9q9-7mgb-rbbf"},{"vulnerability":"VCID-kjca-h5yw-cudv"},{"vulnerability":"VCID-mqs7-x7bh-17ef"},{"vulnerability":"VCID-nkcm-wcbb-quhs"},{"vulnerability":"VCID-pucd-5ym9-1bc8"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"},{"vulnerability":"VCID-ua6c-rrsj-2kg6"},{"vulnerability":"VCID-vj51-w2rv-6qgu"},{"vulnerability":"VCID-vwem-gghh-t7hc"},{"vulnerability":"VCID-wm49-3agn-rffg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.16"}],"aliases":["CVE-2023-29199","GHSA-xj72-wvfv-8985"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rm74-p6v5-wkbj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67672?format=json","vulnerability_id":"VCID-rt16-s8w5-8qgy","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes arbitrary OS commands on the host. Any application that runs untrusted code inside a NodeVM with nesting: true is fully compromised. This vulnerability is fixed in 3.11.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44007","reference_id":"","reference_type":"","scores":[{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.15083","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.15211","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.15207","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00051","scoring_system":"epss","scoring_elements":"0.166","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44007"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.1","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.1"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44007","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44007"},{"reference_url":"http://www.openwall.com/lists/oss-security/2026/05/05/11","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2026/05/05/11"},{"reference_url":"https://github.com/advisories/GHSA-8hg8-63c5-gwmx","reference_id":"GHSA-8hg8-63c5-gwmx","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8hg8-63c5-gwmx"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-8hg8-63c5-gwmx","reference_id":"GHSA-8hg8-63c5-gwmx","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-15T03:55:57Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-8hg8-63c5-gwmx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375840?format=json","purl":"pkg:npm/vm2@3.11.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-tvb2-2e76-27av"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.1"}],"aliases":["CVE-2026-44007","GHSA-8hg8-63c5-gwmx"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rt16-s8w5-8qgy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360255?format=json","vulnerability_id":"VCID-tvb2-2e76-27av","summary":"vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`\n### Summary\n\nhttps://github.com/patriksimek/vm2/security/advisories/GHSA-wp5r-2gw5-m7q7 is not fully patched.\n\n### Details\n\nIt is still possible to get access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`.\n\n### PoC\n\n```js\nconst {VM} = require(\"vm2\");\nconst vm = new VM();\nconsole.log(vm.run(`\n globalThis['VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL']\n`));\n```","references":[{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.11.2"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-2cm2-m3w5-gp2f","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-2cm2-m3w5-gp2f"},{"reference_url":"https://github.com/advisories/GHSA-2cm2-m3w5-gp2f","reference_id":"GHSA-2cm2-m3w5-gp2f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2cm2-m3w5-gp2f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375365?format=json","purl":"pkg:npm/vm2@3.11.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-598j-pe72-qkh3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.2"}],"aliases":["GHSA-2cm2-m3w5-gp2f"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tvb2-2e76-27av"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/143436?format=json","vulnerability_id":"VCID-ua6c-rrsj-2kg6","summary":"vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to and including 3.9.17. It abuses an unexpected creation of a host object based on the specification of `Proxy`. As a result a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32314.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32314.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32314","reference_id":"","reference_type":"","scores":[{"value":"0.61685","scoring_system":"epss","scoring_elements":"0.98369","published_at":"2026-06-14T12:55:00Z"},{"value":"0.61685","scoring_system":"epss","scoring_elements":"0.98368","published_at":"2026-06-12T12:55:00Z"},{"value":"0.61685","scoring_system":"epss","scoring_elements":"0.98362","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32314"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32314","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32314"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2208376","reference_id":"2208376","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2208376"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/3.9.18","reference_id":"3.9.18","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/3.9.18"},{"reference_url":"https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf","reference_id":"d88105f99752305c5b8a77b63ddee3ec86912daf","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/"}],"url":"https://github.com/patriksimek/vm2/commit/d88105f99752305c5b8a77b63ddee3ec86912daf"},{"reference_url":"https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac","reference_id":"e9f5cf5782dec8321095be3e52acf5ac","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/"}],"url":"https://gist.github.com/arkark/e9f5cf5782dec8321095be3e52acf5ac"},{"reference_url":"https://github.com/advisories/GHSA-whpj-8f3w-67p5","reference_id":"GHSA-whpj-8f3w-67p5","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-whpj-8f3w-67p5"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5","reference_id":"GHSA-whpj-8f3w-67p5","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-01-22T21:42:22Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381961?format=json","purl":"pkg:npm/vm2@3.9.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-55dr-v6ew-s3e8"},{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-6fr8-3aqn-wyce"},{"vulnerability":"VCID-6n7e-fz65-jfds"},{"vulnerability":"VCID-77zs-22q5-d7ev"},{"vulnerability":"VCID-8he7-t256-1yct"},{"vulnerability":"VCID-8pe8-9mh9-27f3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-bcct-j6mk-z7hu"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-gbh7-h2ek-hqgg"},{"vulnerability":"VCID-gvhg-db7k-57ey"},{"vulnerability":"VCID-hb4z-qz2p-rqc5"},{"vulnerability":"VCID-k9q9-7mgb-rbbf"},{"vulnerability":"VCID-kjca-h5yw-cudv"},{"vulnerability":"VCID-nkcm-wcbb-quhs"},{"vulnerability":"VCID-pucd-5ym9-1bc8"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"},{"vulnerability":"VCID-vwem-gghh-t7hc"},{"vulnerability":"VCID-wm49-3agn-rffg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.18"}],"aliases":["CVE-2023-32314","GHSA-whpj-8f3w-67p5"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ua6c-rrsj-2kg6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/143123?format=json","vulnerability_id":"VCID-vj51-w2rv-6qgu","summary":"vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a read-write reference to the node `inspect` method and edit options for `console.log`. As a result a threat actor can edit options for the `console.log` command. This vulnerability was patched in the release of version `3.9.18` of `vm2`. Users are advised to upgrade. Users unable to upgrade may make the `inspect` method readonly with `vm.readonly(inspect)` after creating a vm.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32313.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-32313.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32313","reference_id":"","reference_type":"","scores":[{"value":"0.00712","scoring_system":"epss","scoring_elements":"0.7277","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00712","scoring_system":"epss","scoring_elements":"0.72846","published_at":"2026-06-12T12:55:00Z"},{"value":"0.01556","scoring_system":"epss","scoring_elements":"0.81921","published_at":"2026-06-14T12:55:00Z"},{"value":"0.01556","scoring_system":"epss","scoring_elements":"0.81929","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-32313"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32313","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32313"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2208377","reference_id":"2208377","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2208377"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/3.9.18","reference_id":"3.9.18","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-22T21:42:52Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/3.9.18"},{"reference_url":"https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238","reference_id":"5206ba25afd86ef547a2c9d48d46ca7a9e6ec238","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-22T21:42:52Z/"}],"url":"https://github.com/patriksimek/vm2/commit/5206ba25afd86ef547a2c9d48d46ca7a9e6ec238"},{"reference_url":"https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550","reference_id":"c1c57eaf3e0a649af1a70c2b93b17550","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-22T21:42:52Z/"}],"url":"https://gist.github.com/arkark/c1c57eaf3e0a649af1a70c2b93b17550"},{"reference_url":"https://github.com/advisories/GHSA-p5gc-c584-jj6v","reference_id":"GHSA-p5gc-c584-jj6v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p5gc-c584-jj6v"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v","reference_id":"GHSA-p5gc-c584-jj6v","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-01-22T21:42:52Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381961?format=json","purl":"pkg:npm/vm2@3.9.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-55dr-v6ew-s3e8"},{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-6fr8-3aqn-wyce"},{"vulnerability":"VCID-6n7e-fz65-jfds"},{"vulnerability":"VCID-77zs-22q5-d7ev"},{"vulnerability":"VCID-8he7-t256-1yct"},{"vulnerability":"VCID-8pe8-9mh9-27f3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-bcct-j6mk-z7hu"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-gbh7-h2ek-hqgg"},{"vulnerability":"VCID-gvhg-db7k-57ey"},{"vulnerability":"VCID-hb4z-qz2p-rqc5"},{"vulnerability":"VCID-k9q9-7mgb-rbbf"},{"vulnerability":"VCID-kjca-h5yw-cudv"},{"vulnerability":"VCID-nkcm-wcbb-quhs"},{"vulnerability":"VCID-pucd-5ym9-1bc8"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"},{"vulnerability":"VCID-vwem-gghh-t7hc"},{"vulnerability":"VCID-wm49-3agn-rffg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.18"}],"aliases":["CVE-2023-32313","GHSA-p5gc-c584-jj6v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vj51-w2rv-6qgu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/349369?format=json","vulnerability_id":"VCID-vsvp-q6bs-3qau","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25893","reference_id":"","reference_type":"","scores":[{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.66203","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.66297","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.66311","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00495","scoring_system":"epss","scoring_elements":"0.66309","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-25893"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://github.com/patriksimek/vm2/issues/444","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/issues/444"},{"reference_url":"https://github.com/patriksimek/vm2/pull/445","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/pull/445"},{"reference_url":"https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2/pull/445/commits/3a9876482be487b78a90ac459675da7f83f46d69"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25893","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-25893"},{"reference_url":"https://security.snyk.io/vuln/SNYK-JS-VM2-2990237","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.snyk.io/vuln/SNYK-JS-VM2-2990237"},{"reference_url":"https://github.com/advisories/GHSA-4w2j-2rg4-5mjw","reference_id":"GHSA-4w2j-2rg4-5mjw","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4w2j-2rg4-5mjw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/384073?format=json","purl":"pkg:npm/vm2@3.9.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-55dr-v6ew-s3e8"},{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-6fr8-3aqn-wyce"},{"vulnerability":"VCID-6n7e-fz65-jfds"},{"vulnerability":"VCID-77zs-22q5-d7ev"},{"vulnerability":"VCID-8he7-t256-1yct"},{"vulnerability":"VCID-8pe8-9mh9-27f3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-bcct-j6mk-z7hu"},{"vulnerability":"VCID-ct4r-vjm4-4qby"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-gbh7-h2ek-hqgg"},{"vulnerability":"VCID-gvhg-db7k-57ey"},{"vulnerability":"VCID-hb4z-qz2p-rqc5"},{"vulnerability":"VCID-k9q9-7mgb-rbbf"},{"vulnerability":"VCID-kjca-h5yw-cudv"},{"vulnerability":"VCID-mqs7-x7bh-17ef"},{"vulnerability":"VCID-nkcm-wcbb-quhs"},{"vulnerability":"VCID-pucd-5ym9-1bc8"},{"vulnerability":"VCID-rm74-p6v5-wkbj"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"},{"vulnerability":"VCID-ua6c-rrsj-2kg6"},{"vulnerability":"VCID-vj51-w2rv-6qgu"},{"vulnerability":"VCID-vwem-gghh-t7hc"},{"vulnerability":"VCID-w13m-snrt-5ud3"},{"vulnerability":"VCID-wm49-3agn-rffg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.10"}],"aliases":["CVE-2022-25893","GHSA-4w2j-2rg4-5mjw"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vsvp-q6bs-3qau"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67756?format=json","vulnerability_id":"VCID-vwem-gghh-t7hc","summary":"vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks getThis() and getFunction() to prevent host object leakage, but allows getFileName() to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, library paths, and framework versions of the host server. This vulnerability is fixed in 3.11.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44002","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11155","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11089","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11149","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.12184","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44002"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44002","reference_id":"","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44002"},{"reference_url":"https://github.com/advisories/GHSA-v27g-jcqj-v8rw","reference_id":"GHSA-v27g-jcqj-v8rw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v27g-jcqj-v8rw"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-v27g-jcqj-v8rw","reference_id":"GHSA-v27g-jcqj-v8rw","reference_type":"","scores":[{"value":"5.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T18:23:24Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-v27g-jcqj-v8rw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375381?format=json","purl":"pkg:npm/vm2@3.11.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.11.0"}],"aliases":["CVE-2026-44002","GHSA-v27g-jcqj-v8rw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vwem-gghh-t7hc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/140519?format=json","vulnerability_id":"VCID-w13m-snrt-5ud3","summary":"vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to `Error.prepareStackTrace` in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29017.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-29017.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29017","reference_id":"","reference_type":"","scores":[{"value":"0.70647","scoring_system":"epss","scoring_elements":"0.98725","published_at":"2026-06-14T12:55:00Z"},{"value":"0.70647","scoring_system":"epss","scoring_elements":"0.98724","published_at":"2026-06-13T12:55:00Z"},{"value":"0.74958","scoring_system":"epss","scoring_elements":"0.98891","published_at":"2026-06-11T12:55:00Z"},{"value":"0.74958","scoring_system":"epss","scoring_elements":"0.98895","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-29017"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29017","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29017"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2185374","reference_id":"2185374","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2185374"},{"reference_url":"https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d","reference_id":"2a44e082001b959bfe304b62121fb76d","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-10T16:10:48Z/"}],"url":"https://gist.github.com/seongil-wi/2a44e082001b959bfe304b62121fb76d"},{"reference_url":"https://github.com/patriksimek/vm2/issues/515","reference_id":"515","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-10T16:10:48Z/"}],"url":"https://github.com/patriksimek/vm2/issues/515"},{"reference_url":"https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50","reference_id":"d534e5785f38307b70d3aac1945260a261a94d50","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-10T16:10:48Z/"}],"url":"https://github.com/patriksimek/vm2/commit/d534e5785f38307b70d3aac1945260a261a94d50"},{"reference_url":"https://github.com/advisories/GHSA-7jxr-cg7f-gpgv","reference_id":"GHSA-7jxr-cg7f-gpgv","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7jxr-cg7f-gpgv"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv","reference_id":"GHSA-7jxr-cg7f-gpgv","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-02-10T16:10:48Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-7jxr-cg7f-gpgv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/379370?format=json","purl":"pkg:npm/vm2@3.9.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-55dr-v6ew-s3e8"},{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-6fr8-3aqn-wyce"},{"vulnerability":"VCID-6n7e-fz65-jfds"},{"vulnerability":"VCID-77zs-22q5-d7ev"},{"vulnerability":"VCID-8he7-t256-1yct"},{"vulnerability":"VCID-8pe8-9mh9-27f3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-bcct-j6mk-z7hu"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-gbh7-h2ek-hqgg"},{"vulnerability":"VCID-gvhg-db7k-57ey"},{"vulnerability":"VCID-hb4z-qz2p-rqc5"},{"vulnerability":"VCID-k9q9-7mgb-rbbf"},{"vulnerability":"VCID-kjca-h5yw-cudv"},{"vulnerability":"VCID-mqs7-x7bh-17ef"},{"vulnerability":"VCID-nkcm-wcbb-quhs"},{"vulnerability":"VCID-pucd-5ym9-1bc8"},{"vulnerability":"VCID-rm74-p6v5-wkbj"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"},{"vulnerability":"VCID-ua6c-rrsj-2kg6"},{"vulnerability":"VCID-vj51-w2rv-6qgu"},{"vulnerability":"VCID-vwem-gghh-t7hc"},{"vulnerability":"VCID-wm49-3agn-rffg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.9.15"}],"aliases":["CVE-2023-29017","GHSA-7jxr-cg7f-gpgv"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w13m-snrt-5ud3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/138879?format=json","vulnerability_id":"VCID-wm49-3agn-rffg","summary":"vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. Version 3.10.0 contains a patch for the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37466.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-37466.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37466","reference_id":"","reference_type":"","scores":[{"value":"0.04929","scoring_system":"epss","scoring_elements":"0.8985","published_at":"2026-06-11T12:55:00Z"},{"value":"0.04929","scoring_system":"epss","scoring_elements":"0.89887","published_at":"2026-06-14T12:55:00Z"},{"value":"0.04929","scoring_system":"epss","scoring_elements":"0.89883","published_at":"2026-06-12T12:55:00Z"},{"value":"0.04929","scoring_system":"epss","scoring_elements":"0.89889","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-37466"},{"reference_url":"https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9"},{"reference_url":"https://github.com/patriksimek/vm2","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/patriksimek/vm2"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37466","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37466"},{"reference_url":"https://security.netapp.com/advisory/ntap-20230831-0007","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20230831-0007"},{"reference_url":"https://security.netapp.com/advisory/ntap-20241108-0002","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20241108-0002"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2232376","reference_id":"2232376","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2232376"},{"reference_url":"https://github.com/patriksimek/vm2/commit/d9a1fde8ec5a5a9c9e5a69bf91d703950859d744","reference_id":"d9a1fde8ec5a5a9c9e5a69bf91d703950859d744","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:36:22Z/"}],"url":"https://github.com/patriksimek/vm2/commit/d9a1fde8ec5a5a9c9e5a69bf91d703950859d744"},{"reference_url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5","reference_id":"GHSA-cchq-frgv-rjh5","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:36:22Z/"}],"url":"https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5"},{"reference_url":"https://github.com/patriksimek/vm2/releases/tag/v3.10.0","reference_id":"v3.10.0","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-15T17:36:22Z/"}],"url":"https://github.com/patriksimek/vm2/releases/tag/v3.10.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/381430?format=json","purl":"pkg:npm/vm2@3.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-55dr-v6ew-s3e8"},{"vulnerability":"VCID-598j-pe72-qkh3"},{"vulnerability":"VCID-6fr8-3aqn-wyce"},{"vulnerability":"VCID-77zs-22q5-d7ev"},{"vulnerability":"VCID-8he7-t256-1yct"},{"vulnerability":"VCID-8pe8-9mh9-27f3"},{"vulnerability":"VCID-8zk3-a7sw-u7an"},{"vulnerability":"VCID-bcct-j6mk-z7hu"},{"vulnerability":"VCID-g93v-7a6d-5bfm"},{"vulnerability":"VCID-gbh7-h2ek-hqgg"},{"vulnerability":"VCID-gvhg-db7k-57ey"},{"vulnerability":"VCID-hb4z-qz2p-rqc5"},{"vulnerability":"VCID-k9q9-7mgb-rbbf"},{"vulnerability":"VCID-kjca-h5yw-cudv"},{"vulnerability":"VCID-nkcm-wcbb-quhs"},{"vulnerability":"VCID-pucd-5ym9-1bc8"},{"vulnerability":"VCID-rt16-s8w5-8qgy"},{"vulnerability":"VCID-tvb2-2e76-27av"},{"vulnerability":"VCID-vwem-gghh-t7hc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.10.0"}],"aliases":["CVE-2023-37466","GHSA-cchq-frgv-rjh5"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wm49-3agn-rffg"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/vm2@3.6.10"}