CVE- 2026-26956 is a critical sandbox escape in the vm2 library used to run untrusted JavaScript in Node[.]js, with vm2 version 3.10.4 affected and a fix in 3.10.5. The vulnerability is Node[.]js 25 specific and has been demonstrated on Node[.]js v25.6.1 (x64 Linux), requiring WebAssembly exception handling and WebAssembly[.]JSTag support, which helps explain the CVE’s Node 25 scope.
Exploitation can lead to host RCE by gaining access to the host process object from within VM[.]run(), enabling commands via Node’s child_process module after the sandbox boundary collapses. The CVSS is 9.8, indicating high severity. A working PoC is available in the CVE-2026-26956 security advisory, though there is no authoritative confirmation of in-the-wild exploitation at this time.
Defence guidance from SOCRadar emphasises upgrading to 3.10.5 or later, migrating to an actively supported alternative such as isolated-vm, and auditing for untrusted input passed to VM[.]run() while ensuring Node[.]js 25 is not in use. according to CVE-2026-26956 security advisory