cbcvebase.
CVE-2026-47135
published 2026-06-12

CVE-2026-47135: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js…

PriorityP350high8.7CVSS 3.1
AVNACHPRNUINSCCHIHAN
EPSS
0.27%
18.2th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior — verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4.

Affected

4 ranges
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
patriksimekvm2< 3.11.43.11.4
rhdhrhdh-hub-rhel9
vm2_projectvm2>= 0 < 3.11.43.11.4

CVSS provenance

nvdv3.18.7HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
vendor_redhat8.7HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.