cbcvebase.
CVE-2026-24781
published 2026-05-04

CVE-2026-24781: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.16%
63.0th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0.

Affected

5 ranges
VendorProductVersion rangeFixed in
patriksimekvm2< 3.11.03.11.0
rhdhbackstage-community-plugin-catalog-backend-module-scaffolder-relation-processor
rhdhrhdh-hub-rhel9
vm2_projectvm2< 3.11.03.11.0
vm2_projectvm2>= 0 < 3.11.03.11.0

Detection & IOCsextracted from sources · hover to see the quote

  • Sandbox breakout in vm2 is achieved via exploitation of the `inspect` function — monitor for unusual use of the inspect function within vm2-sandboxed Node.js processes
  • Any vm2 version prior to 3.11.0 running in Node.js environments should be treated as vulnerable and flagged in software inventory/SCA scans
  • Red Hat Developer Hub components are confirmed affected — audit deployments of rhdh/backstage-community-plugin-catalog-backend-module-scaffolder-relation-processor and rhdh/rhdh-hub-rhel9 for vulnerable vm2 versions
  • ·The vulnerability is fully patched in vm2 version 3.11.0; any deployment still running an older version remains exploitable

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.