cbcvebase.
CVE-2026-47208
published 2026-06-12

CVE-2026-47208: vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code…

PriorityP267critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.51%
39.5th percentile
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4.

Affected

4 ranges
VendorProductVersion rangeFixed in
ansible-automation-platformautomation-portal
patriksimekvm2< 3.11.43.11.4
rhdhrhdh-hub-rhel9
vm2_projectvm2>= 0 < 3.11.43.11.4

Detection & IOCsextracted from sources · hover to see the quote

  • The sandbox breakout is achieved via Promise Species manipulation in vm2; monitor for untrusted code execution patterns leveraging Promise[Symbol.species] overrides within vm2 sandbox contexts.
  • Exploitation requires an attacker to supply untrusted malicious code to the vm2 sandbox; flag any use of vm2 versions prior to 3.11.4 executing externally-supplied code.
  • Successful exploitation leads to arbitrary code execution on the host system; monitor for unexpected child processes or system calls spawned from Node.js vm2 sandbox processes.
  • ·Affected Red Hat packages include rhdh/rhdh-hub-rhel9 (Red Hat Developer Hub) and ansible-automation-platform/automation-portal (Self-service automation portal 2); patch to vm2 3.11.4 or later.
  • ·No vendor-provided mitigation meets Red Hat's criteria; upgrade to vm2 3.11.4 is the only effective remediation.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.