CVE-2026-44001HIGH 8.6EPSS p25.5%

CVE-2026-44001CVE-2026-44001

Description

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise constructor that triggers an unhandled rejection propagating to the host. The fix for CVE-2026-22709 (v3.10.2) only sanitized the onRejected callback in .then() and .catch() overrides and did not address the executor-to-unhandledRejection path. This vulnerability is fixed in 3.11.0.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS0.34% probability of exploitation · percentile 25.5% · 2026-06-18T12:00:27Z
Published2026-05-13
Last modified2026-05-18

Underlying weaknesses· 1

CWE-248

References

  1. https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjh
  2. https://github.com/patriksimek/vm2/security/advisories/GHSA-hw58-p9xv-2mjh

1

TypeTargetConfidenceTier
WeaknessUncaught Exceptioncwe-2480%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-22709
CVE
CVE-2026-44009
CVE
CVE-2026-24120
CVE
CVE-2026-45411
CVE
CVE-2026-26956
CVE
CVE-2026-24118
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.