CRITICALVulnerability
13 new critical holes in JavaScript sandbox allow execution of arbitrary code
Thirteen critical vulnerabilities have been found in the vm2 JavaScript sandbox package that could allow an attacker’s code to escape the container and do nasty things to IT environments. As a result, developers using this library in their applications are urged to update the software to the latest version, which is currently 3.11.2. The warnings come in advisories from vm2 maintainer Patrik Simek
CVE-2026-26956CVE-2026-44007