A dozen critical vulnerabilities have been disclosed in the vm2 Node[.]js library, enabling sandbox escapes and arbitrary code execution on affected systems. The flaws are listed as CVE-2026-24118, CVE-2026-24120, CVE-2026-24781, CVE-2026-26332, CVE-2026-26956, CVE-2026-43997, CVE-2026-43999, CVE-2026-44005, CVE-2026-44006, CVE-2026-44007, CVE-2026-44008 and CVE-2026-44009, with CVSS scores ranging up to 10.0.
Affected versions are principally 3.10.x and 3.11.0–3.11.2, with patches released in 3.11.0, 3.10.5, 3.11.1 and 3.11.2 as noted in the advisory sequence. The disclosure follows a previous critical sandbox‑escape flaw (CVE-2026-22709) patched earlier, and the author notes that new bypasses are likely to be discovered in the future. According to The Hacker News, users are advised to update to the latest version, 3.11.2, for optimal protection, as the author, Ravie Lakshmanan, reported on 7 May 2026.