Other information and services of the government: www.belgium.be Centre for Cybersecurity Belgium

Warning: Full sandbox escape in NodeJS Sandbox vm2, Patch Immediately!

Image
Decorative image
Published : 11/05/2026
  • Last update: 11/06/2026
  • Affected software:: vm2 Affected versions: <= 3.10.4
  • Type: CWE-693 Protection Mechanism Failure
  • CVE/CVSS: CVE-2026-26956: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66

Risks

This vulnerability allows malware to escape a sandbox and gain full arbitrary code execution on the host machine. It is easy to exploit and a proof of concept is published by the vendor, increasing the likelihood of rapid active exploitation. It has a high impact on confidentiality, integrity and availability.

Description

Ivanti has released security updates for several high severity vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM).

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-26956