PT-2026-40731 · Npm · Vm2
Xmiliah
·
Published
2026-05-13
·
Updated
2026-05-26
·
CVE-2026-45411
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
vm2 versions prior to 3.11.3
Description
A sandbox breakout allows attackers to execute arbitrary commands on the host system. This occurs because a host exception can be caught using the
yield* expression within an async generator. When the generator is closed via the return function, the value is awaited, and exceptions thrown in the then call are caught by the runtime and passed to the yield* iterator as the next value.Recommendations
Update to version 3.11.3.
Exploit
Fix
RCE
Exposure of Resource to Wrong Sphere
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vm2