{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24118", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-21T18:38:22.472Z", "datePublished": "2026-05-04T16:28:43.650Z", "dateUpdated": "2026-05-04T18:24:33.166Z"}, "containers": {"cna": {"title": "VM2 Sandbox Breakout Through __lookupGetter__", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p"}, {"name": "https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3", "tags": ["x_refsource_MISC"], "url": "https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3"}, {"name": "https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74", "tags": ["x_refsource_MISC"], "url": "https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74"}, {"name": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0"}], "affected": [{"vendor": "patriksimek", "product": "vm2", "versions": [{"version": "< 3.11.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-04T16:28:43.650Z"}, "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0."}], "source": {"advisory": "GHSA-grj5-jjm8-h35p", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-04T18:24:17.023397Z", "id": "CVE-2026-24118", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-04T18:24:33.166Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24118", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-05-04T18:24:17.023397Z"}}}], "references": [{"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-04T18:24:29.528Z"}}], "cna": {"title": "VM2 Sandbox Breakout Through __lookupGetter__", "source": {"advisory": "GHSA-grj5-jjm8-h35p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "patriksimek", "product": "vm2", "versions": [{"status": "affected", "version": "< 3.11.0"}]}], "references": [{"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p", "name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3", "name": "https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74", "name": "https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0", "name": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-04T16:28:43.650Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24118", "state": "PUBLISHED", "dateUpdated": "2026-05-04T18:24:33.166Z", "dateReserved": "2026-01-21T18:38:22.472Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-05-04T16:28:43.650Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "6DD48308-6219-4C66-9BE7-246EE56FB834", "versionEndExcluding": "3.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0."}], "id": "CVE-2026-24118", "lastModified": "2026-05-08T19:30:38.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-05-04T17:16:21.643", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "vm2: vm2: Arbitrary code execution due to sandbox breakout", "id": "2466502", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466502"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-749", "details": ["A flaw was found in vm2, an open-source sandbox for Node.js. This sandbox breakout vulnerability allows attackers to write malicious code that can escape the vm2 sandbox. Successful exploitation enables the execution of arbitrary commands on the host system, leading to critical system compromise."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-24118", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Affected", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-05-04T16:28:43Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24118\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24118\nhttps://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3\nhttps://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74\nhttps://github.com/patriksimek/vm2/releases/tag/v3.11.0\nhttps://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p"], "statement": "This Important vulnerability in vm2, an open-source Node.js sandbox, allows for a sandbox breakout, enabling attackers to execute arbitrary commands on the host system. To exploit this issue the attacker needs to have privileges to run untrusted code within the `vm2` environment or trick the user to run such code.\nRed Hat Developer Hub is not affected by this vulnerability as the `vm2` package is a development dependency and the code could not be reached by an adversary.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.11.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vm2", "source": "cna", "vendor": "patriksimek"}, "product": "vm2", "vendor": "patriksimek"}], "created": "2026-05-04T18:45:06.214017+00:00", "updated": "2026-05-16T02:00:12.272149+00:00", "vendors": ["patriksimek", "patriksimek$PRODUCT$vm2"]}