cbcvebase.
CVE-2026-24118
published 2026-05-04

CVE-2026-24118: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.92%
55.7th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

Affected

5 ranges
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
patriksimekvm2< 3.11.03.11.0
rhdhrhdh-hub-rhel9
vm2_projectvm2< 3.11.03.11.0
vm2_projectvm2>= 0 < 3.11.03.11.0

Detection & IOCsextracted from sources · hover to see the quote

  • Sandbox breakout in vm2 prior to version 3.11.0 allows arbitrary command execution on the host system; monitor for unexpected process spawning from Node.js processes using vm2
  • Exploitation requires the attacker to have privileges to run untrusted code within the vm2 environment, or to trick a user into running such code; alert on untrusted script execution within vm2-hosted environments
  • ·vm2 versions prior to 3.11.0 are vulnerable; upgrade to 3.11.0 or later to remediate
  • ·Red Hat Developer Hub is NOT affected as vm2 is only a development dependency and is not reachable by an adversary in that product
  • ·Self-service automation portal 2 (ansible-automation-platform/automation-portal) is confirmed AFFECTED and should be prioritized for patching

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.