VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-tdv8-2vye-cyaw

Essentials
Severities (26)
References (9)
Severity details (24)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-tdv8-2vye-cyaw
Aliases	CVE-2026-47137 GHSA-m4wx-m65x-ghrr
Summary	vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-913

Improper Control of Dynamically-Managed Code Resources

System	Score	Found at
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2026-47137
epss	0.00223	https://api.first.org/data/v1/epss?cve=CVE-2026-47137
cvssv3.1	10	https://github.com/advisories/GHSA-g644-9gfx-q4q4
ssvc	Track*	https://github.com/advisories/GHSA-g644-9gfx-q4q4
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-m4wx-m65x-ghrr
cvssv3.1	10.0	https://github.com/patriksimek/vm2
generic_textual	CRITICAL	https://github.com/patriksimek/vm2
cvssv3.1	10	https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568
cvssv3.1	10.0	https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568
generic_textual	CRITICAL	https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568
ssvc	Track*	https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568
cvssv3.1	10	https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7
cvssv3.1	10.0	https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7
generic_textual	CRITICAL	https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7
ssvc	Track*	https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7
cvssv3.1	10	https://github.com/patriksimek/vm2/releases/tag/v3.11.4
cvssv3.1	10.0	https://github.com/patriksimek/vm2/releases/tag/v3.11.4
generic_textual	CRITICAL	https://github.com/patriksimek/vm2/releases/tag/v3.11.4
ssvc	Track*	https://github.com/patriksimek/vm2/releases/tag/v3.11.4
cvssv3.1	10	https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr
cvssv3.1	10.0	https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr
cvssv3.1_qr	CRITICAL	https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr
generic_textual	CRITICAL	https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr
ssvc	Track*	https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr
cvssv3.1	10.0	https://nvd.nist.gov/vuln/detail/CVE-2026-47137
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2026-47137

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-47137
		https://github.com/patriksimek/vm2
		https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568
		https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7
		https://github.com/patriksimek/vm2/releases/tag/v3.11.4
		https://nvd.nist.gov/vuln/detail/CVE-2026-47137
GHSA-g644-9gfx-q4q4		https://github.com/advisories/GHSA-g644-9gfx-q4q4
GHSA-m4wx-m65x-ghrr		https://github.com/advisories/GHSA-m4wx-m65x-ghrr
GHSA-m4wx-m65x-ghrr		https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/advisories/GHSA-g644-9gfx-q4q4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T14:58:42Z/ Found at https://github.com/advisories/GHSA-g644-9gfx-q4q4

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T14:58:42Z/ Found at https://github.com/patriksimek/vm2/commit/01a7552add345d5a6862623884e6b79a85bf0568

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T14:58:42Z/ Found at https://github.com/patriksimek/vm2/commit/86ab819f202c3a8dad88cef5705f2e416c5188d7

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/releases/tag/v3.11.4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/releases/tag/v3.11.4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T14:58:42Z/ Found at https://github.com/patriksimek/vm2/releases/tag/v3.11.4

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-06-12T14:58:42Z/ Found at https://github.com/patriksimek/vm2/security/advisories/GHSA-m4wx-m65x-ghrr

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-47137

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.17447
EPSS Score	0.00054
Published At	June 13, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T20:38:55.056784+00:00	GHSA Importer	Import	https://github.com/advisories/GHSA-m4wx-m65x-ghrr	38.6.0