CVE-2026-26332

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

critical 9.8 CVSS 3.1

Published: May 4, 2026

Modified: May 5, 2026

Description

References

https://github.com/patriksimek/vm2/releases/tag/v3.11.0
https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95
https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95

Version	3.1
Score	9.8 / 10
Severity	critical