CVE-2026-24118— VM2 Sandbox Breakout Through lookupGetter

CVSS 9.8 · Critical EPSS 0.13% · P32 Updated May 05, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-24118

AIGC Shenlong Model
NVD (National Vulnerability Database)

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

VM2 Sandbox Breakout Through __lookupGetter__

Source: NVD (National Vulnerability Database)

Vulnerability Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

对生成代码的控制不恰当(代码注入)

Source: NVD (National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
patriksimek	vm2	< 3.11.0	-

II. Public POCs for CVE-2026-24118

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-24118

Please Login to view more intelligence information

Release v3.11.0 · patriksimek/vm2 · GitHubx_refsource_MISC
VM2 Sandbox Breakout Through __lookupGetter__ · Advisory · patriksimek/vm2 · GitHubx_refsource_CONFIRM
test(GHSA-grj5-jjm8-h35p): add descriptor-chain history coverage (PoC… · patriksimek/vm2@2b5f3e3 · GitHubx_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2026-24118

Same Patch Batch · patriksimek · 2026-05-04 · 5 CVEs total

CVE-2026-26956	9.8 CRITICAL	vm2: WASM Sandbox Escape (Node 25 only)
CVE-2026-26332	9.8 CRITICAL	vm2: Sandbox Escape
CVE-2026-24781	9.8 CRITICAL	vm2: Sandbox Breakout Through Inspect
CVE-2026-24120	9.8 CRITICAL	vm2: Sandbox Breakout Through Promise Species

IV. Related Vulnerabilities

Same product: vm2

Same vendor: patriksimek

Same weakness: CWE-94

V. Comments for CVE-2026-24118

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-24118— VM2 Sandbox Breakout Through lookupGetter

I. Basic Information for CVE-2026-24118

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Shenlong Deep Dive — AI Deep Analysis

Affected Products

II. Public POCs for CVE-2026-24118

III. Intelligence Information for CVE-2026-24118

Same Patch Batch · patriksimek · 2026-05-04 · 5 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-24118

Leave a comment

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-24118— VM2 Sandbox Breakout Through __lookupGetter__

I. Basic Information for CVE-2026-24118

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Shenlong Deep Dive — AI Deep Analysis

Affected Products

II. Public POCs for CVE-2026-24118

III. Intelligence Information for CVE-2026-24118

Same Patch Batch · patriksimek · 2026-05-04 · 5 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-24118

Leave a comment

CVE-2026-24118— VM2 Sandbox Breakout Through lookupGetter