Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-etxy-bh6c-zbdv
Vulnerability ID VCID-etxy-bh6c-zbdv
Aliases CVE-2026-47140
GHSA-rp36-8xq3-r6c4
Summary NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-693 Protection Mechanism Failure
System Score Found at
epss 0.0008 https://api.first.org/data/v1/epss?cve=CVE-2026-47140
epss 0.00134 https://api.first.org/data/v1/epss?cve=CVE-2026-47140
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-rp36-8xq3-r6c4
cvssv3.1 10.0 https://github.com/patriksimek/vm2
generic_textual CRITICAL https://github.com/patriksimek/vm2
cvssv3.1 10 https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b
cvssv3.1 10.0 https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b
generic_textual CRITICAL https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b
ssvc Track* https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b
cvssv3.1 10 https://github.com/patriksimek/vm2/releases/tag/v3.11.4
cvssv3.1 10.0 https://github.com/patriksimek/vm2/releases/tag/v3.11.4
generic_textual CRITICAL https://github.com/patriksimek/vm2/releases/tag/v3.11.4
ssvc Track* https://github.com/patriksimek/vm2/releases/tag/v3.11.4
cvssv3.1 10 https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4
cvssv3.1 10.0 https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4
cvssv3.1_qr CRITICAL https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4
generic_textual CRITICAL https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4
ssvc Track* https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4
cvssv3.1 10.0 https://nvd.nist.gov/vuln/detail/CVE-2026-47140
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2026-47140
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-47140
https://github.com/patriksimek/vm2
https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b
https://github.com/patriksimek/vm2/releases/tag/v3.11.4
https://nvd.nist.gov/vuln/detail/CVE-2026-47140
GHSA-rp36-8xq3-r6c4 https://github.com/advisories/GHSA-rp36-8xq3-r6c4
GHSA-rp36-8xq3-r6c4 https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T16:38:46Z/ Found at https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/releases/tag/v3.11.4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/releases/tag/v3.11.4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T16:38:46Z/ Found at https://github.com/patriksimek/vm2/releases/tag/v3.11.4
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T16:38:46Z/ Found at https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-47140
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.23909
EPSS Score 0.0008
Published At June 13, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T20:38:55.155185+00:00 GHSA Importer Import https://github.com/advisories/GHSA-rp36-8xq3-r6c4 38.6.0