CVE DATABASE / CVE-2026-44005

CVE-2026-44005

CVSS 10 · CRITICAL

Summary

vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets attacker-controlled JavaScript running in a default VM or inherited NodeVM mutate shared host Object.prototype, Array.prototype, and Function.prototype from inside the sandbox This vulnerability is fixed in 3.11.0.

CVSS 3.1 breakdown

Base score	10 (CRITICAL)
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
Attack vector	NETWORK
Attack complexity	LOW
Privileges required	NONE
User interaction	NONE
Scope	CHANGED
Confidentiality	NONE
Integrity	HIGH
Availability	HIGH

Weakness type (CWE)

Affected products

Vm2_project vm2

Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

Our coverage

Twelve Critical vm2 Node.js Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution

References

https://github.com/patriksimek/vm2/security/advisories/GHSA-vwrp-x96c-mhwq

Data: NIST NVD. NVD last modified 2026-05-14. Always verify against the vendor advisory before acting.