Every CVE whose affected-product data names Vm2 Project Vm2, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (32)
CVE-2022-36067 — CVSS 10.0 (critical): vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor…
CVE-2023-29017 — CVSS 10.0 (critical): vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly…
CVE-2026-44006 — CVSS 10.0 (critical): vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get…
CVE-2026-43997 — CVSS 10.0 (critical): vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the…
CVE-2026-44005 — CVSS 10.0 (critical): vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic…
CVE-2026-43999 — CVSS 9.9 (critical): vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is…
CVE-2023-32314 — CVSS 9.8 (critical): vm2 is a sandbox that can run untrusted code with Node's built-in modules. A sandbox escape vulnerability exists in vm2 for versions up to…
CVE-2023-37466 — CVSS 9.8 (critical): vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The…
CVE-2023-37903 — CVSS 9.8 (critical): vm2 is an open source vm/sandbox for Node.js. In vm2 for versions up to and including 3.9.19, Node.js custom inspect function allows…
CVE-2026-22709 — CVSS 9.8 (critical): vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback…
CVE-2026-24118 — CVSS 9.8 (critical): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows…
CVE-2026-24120 — CVSS 9.8 (critical): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented…
CVE-2026-24781 — CVSS 9.8 (critical): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the…
CVE-2026-26332 — CVSS 9.8 (critical): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run…
CVE-2026-26956 — CVSS 9.8 (critical): vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution…
CVE-2026-45411 — CVSS 9.8 (critical): vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside…
CVE-2021-23449 — CVSS 9.8 (critical): This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitrary code on the…
CVE-2021-23555 — CVSS 9.8 (critical): The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during…
CVE-2022-25893 — CVSS 9.8 (critical): The package vm2 before 3.9.10 are vulnerable to Arbitrary Code Execution due to the usage of prototype lookup for the WeakMap.prototype.set…
CVE-2023-29199 — CVSS 9.8 (critical): There exists a vulnerability in source code transformer (exception sanitization logic) of vm2 for versions up to 3.9.15, allowing attackers…
CVE-2023-30547 — CVSS 9.8 (critical): vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. There exists a vulnerability in exception…
CVE-2026-44008 — CVSS 9.8 (critical): vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other…
CVE-2026-44007 — CVSS 9.1 (critical): vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can…
CVE-2026-44001 — CVSS 8.6 (high): vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to…
CVE-2026-43998 — CVSS 8.5 (high): vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks…
CVE-2019-10761 — CVSS 8.3 (high): This affects the package vm2 before 3.6.11. It is possible to trigger a RangeError exception from the host rather than the "sandboxed"…
CVE-2026-44004 — CVSS 7.5 (high): vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc() with an arbitrary size to allocate…
CVE-2026-44000 — CVSS 6.5 (medium): vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox boundary violation in vm2 allows host object identity to cross…
CVE-2026-44002 — CVSS 5.8 (medium): vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's CallSite wrapper class (intended as a safe wrapper for V8's native…
CVE-2023-32313 — CVSS 5.3 (medium): vm2 is a sandbox that can run untrusted code with Node's built-in modules. In versions 3.9.17 and lower of vm2 it was possible to get a…
CVE-2026-44003 — CVSS 5.3 (medium): vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST…