Main Vulnerability Database Vulnerabilities #VU130927

Improper handling of exceptional conditions in vm2 - #VU130927

Published: May 11, 2026

Vulnerability identifier: #VU130927

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-755

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Patrik Simek

Affected software:
vm2

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the host system.

The vulnerability exists due to improper exception handling in the vm2 sandbox when processing async generator control flow with the yield* expression and generator return handling. A remote attacker can execute crafted code inside a vm2 sandbox to execute arbitrary code on the host system.

Exploitation requires the ability to run arbitrary code within the context of a vm2 sandbox.

Remediation

Install security update from vendor's website.

Sources

https://github.com/patriksimek/vm2/security/advisories/GHSA-248r-7h7q-cr24

Improper handling of exceptional conditions in vm2 - #VU130927

Detailed vulnerability description

Remediation

Sources

Please verify you're human