CVE Catalog

CVE-2026-44009

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.81%

52th percentile — higher than 52% of all known CVEs

Summary

A vulnerability in the vm2 library for Node.js allows sandbox escape. The issue is fixed in version 3.11.2.

Risk Assessment

An attacker can gain unauthorized access to the host operating system, leading to full compromise of the Node.js environment.

Recommendation

Immediately update the vm2 library to version 3.11.2 or later.

Original NVD description (English source)

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS