Critical Node.js Sandbox Escapes and Microsoft Patch Tuesday
Multiple critical sandbox escape flaws in vm2, a massive Microsoft Patch Tuesday, and active exploitation of a WordPress plugin highlight today's security landscape.
A massive wave of vulnerabilities has hit the vm2 Node.js sandbox library, with researchers identifying multiple critical flaws that allow attackers to escape the sandbox and execute arbitrary code on the host system. The affected vulnerabilities, including CVE-2026-43997, CVE-2026-43999, CVE-2026-44005, CVE-2026-44006, CVE-2026-44008, and CVE-2026-44009, stem from issues ranging from improper prototype handling to bypasses in the built-in module allowlist. As The Hacker News reported, these flaws effectively nullify the security guarantees of the library, which is widely used for executing untrusted code. Developers are urged to update to the latest patched versions immediately to mitigate the risk of full system compromise.
Microsoft’s May 2026 Patch Tuesday has addressed a significant volume of vulnerabilities, including critical remote code execution and privilege escalation flaws across its ecosystem. Notable entries include CVE-2026-42898 in Microsoft Dynamics 365 and CVE-2026-42823 in Azure Logic Apps, both of which allow authorized attackers to execute code or elevate privileges over a network. As BleepingComputer and The Hacker News highlighted, while no zero-days were reported, the sheer scale of the patch release—covering over 100 vulnerabilities—underscores the ongoing challenge of maintaining security in complex enterprise environments. Organizations should prioritize these updates to prevent potential exploitation of these high-risk flaws.
The Burst Statistics WordPress plugin is currently under active exploitation due to a critical authentication bypass vulnerability, tracked as CVE-2026-8181. This flaw, which affects versions 3.4.0 through 3.4.1.1, stems from incorrect return-value handling, allowing unauthenticated attackers to bypass security controls. As BleepingComputer and Wordfence reported, the vulnerability puts approximately 200,000 sites at risk. Administrators are advised to update the plugin immediately, as the active exploitation indicates that threat actors are already leveraging this flaw to compromise vulnerable installations.
Several other critical vulnerabilities have been disclosed across various platforms, including a hardcoded JWT secret in SOCFortress CoPilot (CVE-2026-42823) and a sandbox escape in the Luanti game-creation platform (CVE-2026-41196). Additionally, the Akilli Commerce E-Commerce Website is affected by both an authorization bypass (CVE-2026-2347) and a blind SQL injection vulnerability (CVE-2025-11024). These disclosures highlight the persistent risk of credential mismanagement and input validation errors in web applications. Security teams should audit their environments for these specific products and apply available patches to prevent unauthorized access or data exfiltration.