CVE-2026-24781

CriticalPublic PoCRCE

Published: 04 May 2026

Published

04 May 2026

Modified

08 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 37.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24781 is a critical-severity Code Injection (CWE-94) vulnerability in Vm2 Project Vm2. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the sandbox breakout vulnerability in vm2 prior to version 3.11.0 by requiring timely patching to prevent arbitrary command execution via the inspect function.

RA-5 Vulnerability Monitoring and Scanning good match

prevent

Scans for and identifies vulnerable versions of the vm2 Node.js sandbox library affected by CVE-2026-24781, enabling proactive flaw remediation.

CM-10 Software Usage Restrictions partial match

prevent

Restricts deployment and execution of unapproved or vulnerable software such as outdated vm2 versions, mitigating risk of sandbox escape exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Sandbox escape in vm2 enables remote code injection (CWE-94) leading to arbitrary command execution on the host. Directly maps to exploiting a public-facing Node.js application (T1190), JavaScript command interpreter abuse (T1059.007), and privilege escalation via isolation bypass (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands…

on the host system. This issue has been patched in version 3.11.0.

Deeper analysisAI

CVE-2026-24781 is a sandbox breakout vulnerability in vm2, an open source virtual machine and sandbox for Node.js applications. Affecting versions prior to 3.11.0, the flaw exists in the inspect function, enabling attackers to craft code that escapes the VM2 sandbox isolation. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-94 (Code Injection) and CWE-693 (Protection Mechanism Failure).

Remote attackers require no privileges or user interaction to exploit this issue over the network with low complexity. Successful exploitation allows arbitrary command execution on the host system, potentially leading to full compromise including high-impact confidentiality, integrity, and availability violations.

The vulnerability has been patched in vm2 version 3.11.0, as detailed in the project's GitHub security advisory (GHSA-v37h-5mfm-c47c) and release notes. Multiple commits address the issue, including 8d30d93213c1898b3e035298b89a814970dd1189, bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c, and fd266d084e0a3322d0f71ba2a8dc4c96cd030228, with users advised to upgrade immediately.

Details

CWE(s): CWE-94 CWE-693

Affected Products

vm2 project

vm2

≤ 3.11.0

CVEs Like This One

CVE-2026-24118Same product: Vm2 Project Vm2

CVE-2026-26332Same product: Vm2 Project Vm2

CVE-2026-24120Same product: Vm2 Project Vm2

CVE-2026-22709Same product: Vm2 Project Vm2

CVE-2026-26956Same product: Vm2 Project Vm2

CVE-2026-43997Same product: Vm2 Project Vm2

CVE-2026-44000Same product: Vm2 Project Vm2

CVE-2026-44006Same product: Vm2 Project Vm2

CVE-2026-44005Same product: Vm2 Project Vm2

CVE-2026-44007Same product: Vm2 Project Vm2

References

https://github.com/patriksimek/vm2/commit/8d30d93213c1898b3e035298b89a814970dd1189
Patch · security-advisories@github.com
https://github.com/patriksimek/vm2/commit/bdd3d15e57bc4ec5e70365cd79f7cb0256e5f88c
Patch · security-advisories@github.com
https://github.com/patriksimek/vm2/commit/fd266d084e0a3322d0f71ba2a8dc4c96cd030228
Patch · security-advisories@github.com
https://github.com/patriksimek/vm2/releases/tag/v3.11.0
Release Notes · security-advisories@github.com
https://github.com/patriksimek/vm2/security/advisories/GHSA-v37h-5mfm-c47c
Exploit, Vendor Advisory · security-advisories@github.com