CVE-2026-26956: VM2 Has a WASM Sandbox Escape (Node 25 only)

May 5, 2026

Full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and runs host commands with zero host cooperation.

References

github.com/advisories/GHSA-ffh4-j6h5-pg66
github.com/patriksimek/vm2
github.com/patriksimek/vm2/releases/tag/v3.10.5
github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66
nvd.nist.gov/vuln/detail/CVE-2026-26956

Code Behaviors & Features

Detect and mitigate CVE-2026-26956 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →