43 Total advisories
43 Vulnerabilities
0 Malware
Vulnerabilities
CRITICAL 10.0
CVE-2026-47140
NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
CRITICAL 10.0
CVE-2026-47131
vm2 has a Sandbox Escape issue
CRITICAL 9.8
CVE-2026-47210
vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass
CRITICAL 10.0
CVE-2026-47208
vm2 is Vulnerable to Sandbox Breakout Through Promise Species
CRITICAL 10.0
CVE-2026-47137
vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE
HIGH 8.6
CVE-2026-47209
vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain
HIGH 8.7
CVE-2026-47135
vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks
HIGH 8.6
CVE-2026-47139
NodeVM network builtin exclusions bypass via internal _http_client and _http_server
UNKNOWN
CVE-2026-47141
NodeVM observability builtins leak host process and HTTP request data
CRITICAL 9.8
CVE-2026-26956
VM2 Has a WASM Sandbox Escape
UNKNOWN
GHSA-q3fm-4wcw-g57x
vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter
CRITICAL 9.8
CVE-2026-45411
vm2 Has a Sandbox Breakout Using Async Generator
MEDIUM 5.8
CVE-2026-44002
vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak
MEDIUM 5.3
CVE-2026-44003
vm2's Transformer Fast-Path Bypass Exposes Internal State Variable
CRITICAL 10.0
CVE-2026-44006
vm2 has a Sandbox Escape Vulnerability
HIGH 8.6
CVE-2026-44001
vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)
CRITICAL 10.0
CVE-2026-44005
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape
MEDIUM 6.5
CVE-2026-44000
vm2 Host Promise Resolution Preserves Object Identity Across Sandbox Boundary
HIGH 8.5
CVE-2026-43998
vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape
CRITICAL 9.1
CVE-2026-44007
vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution
CRITICAL 9.8
CVE-2026-44009
vm2 has Sandbox Breakout Through Null Proto Exception
CRITICAL 9.8
CVE-2026-44008
vm2 has sandbox breakout via `neutralizeArraySpeciesBatch`
CRITICAL 9.9
CVE-2026-43999
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape
HIGH 7.5
CVE-2026-44004
vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion
CRITICAL 10.0
CVE-2026-43997
vm2 Access to Host Object Enables Sandbox Escape
MEDIUM 5.3
GHSA-2cm2-m3w5-gp2f
vm2 has access to `VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL`
CRITICAL 9.8
CVE-2026-24118
VM2 Sandbox Breakout Through __lookupGetter__
CRITICAL 9.8
CVE-2026-24781
VM2 Has Sandbox Breakout Through Inspect Function
CRITICAL 9.8
CVE-2026-26332
VM2 Has a Sandbox Escape Issue via SuppressedError
CRITICAL 9.8
CVE-2026-24120
VM2 Has Sandbox Breakout Through Promise Species
HIGH 8.3
CVE-2019-10761
vm2 before 3.6.11 vulnerable to sandbox escape
CRITICAL 9.8
CVE-2021-23555
Sandbox bypass in vm2
CRITICAL 9.8
CVE-2021-23449
Prototype Pollution in vm2
CRITICAL 9.8
CVE-2023-37466
vm2 Sandbox Escape vulnerability
CRITICAL 9.8
CVE-2026-22709
vm2 has a Sandbox Escape
CRITICAL 9.8
CVE-2023-37903
vm2 Sandbox Escape vulnerability
CRITICAL 9.8
CVE-2023-32314
vm2 Sandbox Escape vulnerability
MEDIUM 5.3
CVE-2023-32313
vm2 vulnerable to Inspect Manipulation
CRITICAL 9.8
CVE-2023-30547
vm2 Sandbox Escape vulnerability
CRITICAL 9.8
CVE-2023-29199
vm2 Sandbox Escape vulnerability
CRITICAL 9.8
CVE-2023-29017
vm2 vulnerable to sandbox escape
CRITICAL 10.0
CVE-2022-36067
vm2 vulnerable to Sandbox Escape resulting in Remote Code Execution on host
CRITICAL 9.8
CVE-2022-25893
vm2 vulnerable to Arbitrary Code Execution
Ready to move
Start Securing
Free, no credit card | First findings in minutes