CVE-2026-47140

CVE Database · CVE-2026-47140

CVE-2026-47140

· CRITICALDeferred

CVSS v3.1

10.0

EPSS

0.88%

Published

Jun 12, 2026

Modified

Jun 12, 2026

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weaknesses (CWE)

CWE-693

References (4)

https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b

https://github.com/patriksimek/vm2/releases/tag/v3.11.4

https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4

KEV Catalog EPSS Scores Vendors All CVEs