CVE-2026-47208 | vm2 is an open source vm/sandbox for Node.js. Prior to versi… | CVSS 10.0 CRITICAL

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4.

Metadata

CVE ID: CVE-2026-47208
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-18 22:25 UTC
Published: 2026-06-12 14:16 UTC
Last updated: 2026-06-13 03:55 UTC
Primary CWE: CWE-913
CWE-913: Improper Control of Dynamically-Managed Code Resour…
Vendor / Product: patriksimek / vm2
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
patriksimek	vm2	—	< 3.11.4

Weakness (CWE)

CWE	Source	Description
CWE-913	cna	CWE-913: Improper Control of Dynamically-Managed Code Resources

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (3)

https://github.com/patriksimek/vm2/security/advisories/GHSA-76w7-j9cq-rx2j https://github.com/patriksimek/vm2/security/advisories/GHSA-76w7-j9cq-rx2j
https://github.com/patriksimek/vm2/commit/a462655009669c3124ee39498121651597529ea8 https://github.com/patriksimek/vm2/commit/a462655009669c3124ee39498121651597529ea8
https://github.com/patriksimek/vm2/releases/tag/v3.11.4 https://github.com/patriksimek/vm2/releases/tag/v3.11.4