PT-2026-39192 · Npm · Vm2
Xmiliah
·
Published
2026-05-08
·
Updated
2026-05-18
·
CVE-2026-44009
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
VM2 (affected versions not specified)
Description
A sandbox breakout allows attackers to write code that escapes the VM2 sandbox to execute arbitrary commands on the host system. This occurs in the
handleException() function where exceptions with a null prototype are assumed to be proxied from another side. By throwing and catching an object with a null prototype, an attacker can obtain both the proxied and unproxied versions of a sandbox object, enabling access to the host Function object and resulting in Remote Code Execution.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Exposure of Resource to Wrong Sphere
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vm2