CVE-2026-26332

CriticalPublic PoCRCE

Published: 04 May 2026

Published

04 May 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0008 23.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26332 is a critical-severity Code Injection (CWE-94) vulnerability in Vm2 Project Vm2. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely remediation of identified flaws, directly addressing CVE-2026-26332 by requiring patching of vm2 to version 3.11.0.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

RA-5 requires vulnerability scanning of system components and dependencies, enabling early detection and remediation of the vm2 sandbox escape vulnerability.

SC-50 Software-enforced Separation and Policy Enforcement partial match

prevent

SC-50 enforces robust software-based separation and policy mechanisms, mitigating sandbox escape risks like SuppressedError in vm2 by requiring verified isolation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

CVE enables remote unauthenticated arbitrary code execution via sandbox escape in a Node.js library (CWE-94), directly mapping to exploitation of exposed applications and JavaScript command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

Deeper analysisAI

CVE-2026-26332 is a critical vulnerability in vm2, an open source virtual machine and sandbox implementation for Node.js. Prior to version 3.11.0, the SuppressedError mechanism allows attackers to escape the sandbox confines and execute arbitrary code on the host system. The issue is associated with CWE-94 (code injection) and CWE-693 (protection mechanism failure), earning a CVSS v3.1 base score of 9.8.

The vulnerability enables remote exploitation over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N), no user interaction (UI:N), and resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) under an unchanged scope (S:U). Any unauthenticated attacker able to trigger vm2 sandbox execution, such as through untrusted input in Node.js applications using the library for code isolation, can break out and run arbitrary code with the privileges of the hosting process.

The vulnerability has been patched in vm2 version 3.11.0. Security advisories and release notes on GitHub, including GHSA-55hx-c926-fr95 and the v3.11.0 release tag, detail the fix and recommend upgrading immediately to mitigate the sandbox escape risk.