CVE-2026-43997
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the h
CVSS
10.0
Critical
EPSS
1.0%
p58
KEV
—
Exploit Today
17
0-100
Published: May 13, 2026 · Last modified: Jul 15, 2026 · CWE-94 · CWE-653
1.0%EPSS · 30 days1.0%
2026-06-302026-07-16
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.
- github.comhttps://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-43997
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2477203
- github.comhttps://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43997.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-32489.8 CRI100.0%
KEV—80Langflow Missing Authentication Vulnerability2dCVE-2026-341978.8 HIG99.9%
KEV—80Apache ActiveMQ Improper Input Validation Vulnerability2dCVE-2026-154107.2 HIG71.1%
KEV—71SonicWall SMA1000 Appliances Code Injection Vulnerability1dCVE-2025-670389.8 CRI55.3%
KEV—67Lantronix EDS5000 Code Injection Vulnerability11dCVE-2021-416539.8 CRI99.5%
——30The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.8dCVE-2023-362558.8 HIG99.0%
——30An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL.8d