Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-5xbq-86wn-77c4
Vulnerability ID VCID-5xbq-86wn-77c4
Aliases CVE-2019-10761
GHSA-wf5x-cr3r-xr77
Summary vm2 before 3.6.11 vulnerable to sandbox escape
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-674 Uncontrolled Recursion
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00818 https://api.first.org/data/v1/epss?cve=CVE-2019-10761
epss 0.00818 https://api.first.org/data/v1/epss?cve=CVE-2019-10761
epss 0.00818 https://api.first.org/data/v1/epss?cve=CVE-2019-10761
cvssv3.1 8.3 https://gist.github.com/JLLeitschuh/609bb2efaff22ed84fe182cf574c023a
generic_textual HIGH https://gist.github.com/JLLeitschuh/609bb2efaff22ed84fe182cf574c023a
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-wf5x-cr3r-xr77
cvssv3.1 8.3 https://github.com/patriksimek/vm2
generic_textual HIGH https://github.com/patriksimek/vm2
cvssv3.1 8.3 https://github.com/patriksimek/vm2/commit/4b22d704e4794af63a5a2d633385fd20948f6f90
generic_textual HIGH https://github.com/patriksimek/vm2/commit/4b22d704e4794af63a5a2d633385fd20948f6f90
cvssv3.1 8.3 https://github.com/patriksimek/vm2/issues/197
generic_textual HIGH https://github.com/patriksimek/vm2/issues/197
cvssv3.1 8.3 https://github.com/patriksimek/vm2/issues/197#issuecomment-480643832
generic_textual HIGH https://github.com/patriksimek/vm2/issues/197#issuecomment-480643832
cvssv3.1 8.3 https://nvd.nist.gov/vuln/detail/CVE-2019-10761
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2019-10761
cvssv3.1 8.3 https://snyk.io/vuln/SNYK-JS-VM2-473188
generic_textual HIGH https://snyk.io/vuln/SNYK-JS-VM2-473188
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2019-10761
https://gist.github.com/JLLeitschuh/609bb2efaff22ed84fe182cf574c023a
https://github.com/patriksimek/vm2
https://github.com/patriksimek/vm2/commit/4b22d704e4794af63a5a2d633385fd20948f6f90
https://github.com/patriksimek/vm2/issues/197
https://github.com/patriksimek/vm2/issues/197#issuecomment-480643832
https://snyk.io/vuln/SNYK-JS-VM2-473188
CVE-2019-10761 https://nvd.nist.gov/vuln/detail/CVE-2019-10761
GHSA-wf5x-cr3r-xr77 https://github.com/advisories/GHSA-wf5x-cr3r-xr77
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://gist.github.com/JLLeitschuh/609bb2efaff22ed84fe182cf574c023a
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/patriksimek/vm2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/patriksimek/vm2/commit/4b22d704e4794af63a5a2d633385fd20948f6f90
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/patriksimek/vm2/issues/197
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://github.com/patriksimek/vm2/issues/197#issuecomment-480643832
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2019-10761
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L Found at https://snyk.io/vuln/SNYK-JS-VM2-473188
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.74789
EPSS Score 0.00818
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T20:31:49.535419+00:00 GHSA Importer Import https://github.com/advisories/GHSA-wf5x-cr3r-xr77 38.6.0