VYPR
Critical severity9.8NVD Advisory· Published May 4, 2026· Updated May 6, 2026

CVE-2026-26332

CVE-2026-26332

Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
vm2npm
< 3.11.03.11.0

Affected products

3
  • Patriksimek/Vm2references2 versions
    (expand)+ 1 more
    • (no CPE)
    • cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*range: <3.11.0
  • ghsa-coords
    Range: < 3.11.0

Patches

Vulnerability mechanics

References

9

News mentions

1