{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26332", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-13T16:27:51.810Z", "datePublished": "2026-05-04T16:35:52.706Z", "dateUpdated": "2026-05-04T19:06:53.442Z"}, "containers": {"cna": {"title": "vm2: Sandbox Escape", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95"}, {"name": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0"}], "affected": [{"vendor": "patriksimek", "product": "vm2", "versions": [{"version": "< 3.11.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-04T16:35:52.706Z"}, "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0."}], "source": {"advisory": "GHSA-55hx-c926-fr95", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-04T19:06:32.471517Z", "id": "CVE-2026-26332", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-04T19:06:53.442Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26332", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-05-04T19:06:32.471517Z"}}}], "references": [{"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-04T19:06:03.857Z"}}], "cna": {"title": "vm2: Sandbox Escape", "source": {"advisory": "GHSA-55hx-c926-fr95", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "patriksimek", "product": "vm2", "versions": [{"status": "affected", "version": "< 3.11.0"}]}], "references": [{"url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95", "name": "https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0", "name": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-04T16:35:52.706Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26332", "state": "PUBLISHED", "dateUpdated": "2026-05-04T19:06:53.442Z", "dateReserved": "2026-02-13T16:27:51.810Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-05-04T16:35:52.706Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "6DD48308-6219-4C66-9BE7-246EE56FB834", "versionEndExcluding": "3.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0."}], "id": "CVE-2026-26332", "lastModified": "2026-05-06T12:24:36.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-05-04T17:16:22.403", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/patriksimek/vm2/releases/tag/v3.11.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "vm2: vm2: Arbitrary code execution via SuppressedError sandbox escape", "id": "2466508", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466508"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-653", "details": ["A flaw was found in vm2, an open-source sandbox for Node.js. This vulnerability allows a remote attacker to escape the sandbox environment by exploiting the `SuppressedError` mechanism. Successful exploitation can lead to arbitrary code execution on the host system, compromising the integrity and confidentiality of the affected system."], "name": "CVE-2026-26332", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Affected", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-05-04T16:35:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26332\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26332\nhttps://github.com/patriksimek/vm2/releases/tag/v3.11.0\nhttps://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95"], "statement": "This is an Important flaw in the vm2 Node.js sandbox, enabling a remote attacker to escape the sandbox and achieve arbitrary code execution. This happens because the sandbox fails to run rejection call backs within the sandbox isolation, an attacker that have privileges or tricks the user to run a maliciously crafted code can leverage that to cause suppressed errors to be handled in the host side instead of in the local side leading to the sandbox escape.\nRed Hat Developer Hub is not affected by this vulnerability as the `vm2` package is a development dependency and the code could not be reached by an adversary.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.11.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vm2", "source": "cna", "vendor": "patriksimek"}, "product": "vm2", "vendor": "patriksimek"}], "created": "2026-05-04T18:45:06.428233+00:00", "updated": "2026-05-04T19:00:07.707529+00:00", "vendors": ["patriksimek", "patriksimek$PRODUCT$vm2"]}