**CVE-2026-26956** impacts **vm2** version 3.10.4, but earlier versions may also be affected. A proof-of-concept (PoC) exploit is publicly available, raising concerns about potential exploitation. ### Vulnerability Details The vulnerability specifically affects environments running **Node.js** 25 (confirmed on Node.js 25.6.1) with WebAssembly exception handling and JSTag support enabled, according to the maintainer's advisory. **vm2** is a widely used open-source Node.js library designed to execute untrusted JavaScript code within a restricted sandbox. It's commonly used by online coding platforms, automation tools, and SaaS applications to isolate user-supplied scripts from the host system and prevent access to sensitive Node.js APIs. With over 1.3 million weekly downloads on the **npm** (Node Package Manager), the impact of this vulnerability could be significant. ### Technical Explanation **CVE-2026-26956** arises from the library's improper handling of exceptions between the sandboxed environment and the host. **vm2** typically relies on JavaScript-level protections and bridge Proxies to safeguard against host-based errors. However, WebAssembly exception handling can bypass these defenses by intercepting JavaScript errors at a lower level within **Google's V8** engine. By triggering a specially crafted TypeError using Symbol-to-string conversion, an attacker can leak a host-side error object back into the sandbox, bypassing **vm2's** sanitization processes. This leaked object, originating from the host environment, allows attackers to abuse its constructor chain to regain access to Node.js internals, such as the process object, ultimately enabling arbitrary command execution on the host system. The maintainer's security advisory includes a PoC exploit demonstrating remote code execution. ### Mitigation Users of **vm2** are strongly advised to upgrade to version 3.10.5 or later (the latest version is 3.11.2) as soon as possible to mitigate the risk of exploitation. ### Previous Vulnerabilities This is not the first time **vm2** has been plagued by critical sandbox escape vulnerabilities. Earlier this year, **CVE-2026-22709** was discovered, allowing for arbitrary code execution on the host system. Other notable vulnerabilities include **CVE-2023-30547**, **CVE-2023-29017**, and **CVE-2022-36067**, underscoring the inherent difficulties in creating robust JavaScript sandboxes.  ## [99% of What Mythos Found Is Still Unpatched.](https://hubs.li/Q04crVgD0) AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. [Claim Your Spot](https://hubs.li/Q04crVgD0)