cbcvebase.
CVE-2026-43997
published 2026-05-13

CVE-2026-43997: vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to…

PriorityP357critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.98%
57.7th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain Symbol(nodejs.util.inspect.custom). This vulnerability is fixed in 3.11.0.

Affected

5 ranges
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
patriksimekvm2< 3.11.03.11.0
rhdhrhdh-hub-rhel9
vm2_projectvm2< 3.11.03.11.0
vm2_projectvm2>= 0 < 3.11.03.11.0

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.