cbcvebase.
CVE-2026-44006
published 2026-05-13

CVE-2026-44006: vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary…

PriorityP259critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.81%
52.5th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.

Affected

5 ranges
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
patriksimekvm2< 3.11.03.11.0
rhdhrhdh-hub-rhel9
vm2_projectvm2< 3.11.03.11.0
vm2_projectvm2>= 0 < 3.11.03.11.0

Detection & IOCsextracted from sources · hover to see the quote

  • Sandboxed code attempts to access BaseHandler.getPrototypeOf to retrieve arbitrary prototypes, which is the core exploitation primitive for this sandbox escape
  • Monitor for vm2 versions prior to 3.11.0 in Node.js environments; any execution of untrusted code in these versions may result in sandbox escape and host-level code execution
  • Network-exposed services accepting user-supplied code for execution in vm2 sandboxes are at highest risk; the vulnerability is remotely exploitable with no authentication or user interaction required (CVSS AV:N/AC:L/PR:N/UI:N)
  • ·Red Hat Developer Hub (rhdh/rhdh-hub-rhel9) and Self-service automation portal 2 (ansible-automation-platform/automation-portal) are listed as under investigation for this vulnerability; patch status is not yet confirmed for these packages
  • ·The fix is exclusively in vm2 version 3.11.0; any deployment running vm2 < 3.11.0 that executes untrusted code remains fully exposed

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.