Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-qsyb-rkff-wyht
Vulnerability ID VCID-qsyb-rkff-wyht
Aliases CVE-2021-23449
GHSA-rjf2-j2r6-q8gr
Summary
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.02202 https://api.first.org/data/v1/epss?cve=CVE-2021-23449
epss 0.02202 https://api.first.org/data/v1/epss?cve=CVE-2021-23449
epss 0.02202 https://api.first.org/data/v1/epss?cve=CVE-2021-23449
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-rjf2-j2r6-q8gr
cvssv3.1 9.8 https://github.com/patriksimek/vm2
generic_textual CRITICAL https://github.com/patriksimek/vm2
cvssv3.1 9.8 https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886
generic_textual CRITICAL https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886
cvssv3.1 9.8 https://github.com/patriksimek/vm2/issues/363
generic_textual CRITICAL https://github.com/patriksimek/vm2/issues/363
cvssv3.1 9.8 https://github.com/patriksimek/vm2/releases/tag/3.9.4
generic_textual CRITICAL https://github.com/patriksimek/vm2/releases/tag/3.9.4
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2021-23449
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2021-23449
cvssv3.1 9.8 https://security.netapp.com/advisory/ntap-20211029-0010
generic_textual CRITICAL https://security.netapp.com/advisory/ntap-20211029-0010
cvssv3.1 9.8 https://snyk.io/vuln/SNYK-JS-VM2-1585918
generic_textual CRITICAL https://snyk.io/vuln/SNYK-JS-VM2-1585918
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2021-23449
https://github.com/patriksimek/vm2
https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886
https://github.com/patriksimek/vm2/issues/363
https://github.com/patriksimek/vm2/releases/tag/3.9.4
https://nvd.nist.gov/vuln/detail/CVE-2021-23449
https://security.netapp.com/advisory/ntap-20211029-0010
https://security.netapp.com/advisory/ntap-20211029-0010/
https://snyk.io/vuln/SNYK-JS-VM2-1585918
GHSA-rjf2-j2r6-q8gr https://github.com/advisories/GHSA-rjf2-j2r6-q8gr
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/commit/b4f6e2bd2c4a1ef52fc4483d8e35f28bc4481886
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/issues/363
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/releases/tag/3.9.4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-23449
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20211029-0010
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://snyk.io/vuln/SNYK-JS-VM2-1585918
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.8479
EPSS Score 0.02202
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-12T01:59:03.790517+00:00 EPSS Importer Import https://epss.cyentia.com/epss_scores-current.csv.gz 38.6.0