Protection Mechanism Failure

CVE-2026-26956

High

9.8/10

Summary

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside "VM.run()" obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-693 - Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

References

Advisory

Advisory Timeline

Published May 04, 2026

Protection Mechanism Failure

CVE-2026-26956

Summary

CWE-693 - Protection Mechanism Failure

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS