Main Vulnerability Database Vulnerabilities #VU129592

Code Injection in vm2 - #VU129592

Published: May 4, 2026

Vulnerability identifier: #VU129592

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Patrik Simek

Affected software:
vm2

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in the vm2 sandbox when processing crafted JavaScript code. A remote attacker can supply specially crafted code to escape the sandbox and execute arbitrary code.

The issue allows access to host objects outside the intended sandbox boundary.

Remediation

Install security update from vendor's website.

Sources

https://github.com/patriksimek/vm2/security/advisories/GHSA-47x8-96vw-5wg6
https://github.com/patriksimek/vm2/commit/ebcfe94ad2f864f0bc35e78cff1d921107cfd160

Code Injection in vm2 - #VU129592

Detailed vulnerability description

Remediation

Sources

Please verify you're human