CVE-2026-24120
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented al
CVSS
9.8
Critical
EPSS
0.9%
p56
KEV
—
Exploit Today
17
0-100
Published: May 4, 2026 · Last modified: Jul 15, 2026 · CWE-94 · CWE-693 · CWE-807
0.9%EPSS · 30 days0.9%
2026-06-302026-07-16
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.
- github.comhttps://github.com/patriksimek/vm2/releases/tag/v3.10.5
- github.comhttps://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-24120
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2466529
- github.comhttps://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24120.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-32489.8 CRI100.0%
KEV—80Langflow Missing Authentication Vulnerability2dCVE-2026-341978.8 HIG99.9%
KEV—80Apache ActiveMQ Improper Input Validation Vulnerability2dCVE-2026-154107.2 HIG71.1%
KEV—71SonicWall SMA1000 Appliances Code Injection Vulnerability18hCVE-2025-670389.8 CRI55.3%
KEV—67Lantronix EDS5000 Code Injection Vulnerability10dCVE-2021-416539.8 CRI99.5%
——30The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.8dCVE-2023-362558.8 HIG99.0%
——30An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL.8d