A critical vulnerability in the vm2 Node.js sandboxing library (CVE-2026-26956) allows attackers to escape the sandbox and execute arbitrary code on the host system, particularly affecting versions 3.10.4 and earlier. Users are urged to upgrade to version 3.10.5 or later to mitigate this security risk.
A critical vulnerability, CVE-2026-26956, in the vm2 Node.js sandboxing library allows attackers to execute arbitrary code on the host system by exploiting WebAssembly exception handling and JSTag support in environments with Node.js 25. With over 1.3 million weekly downloads, this vulnerability poses a significant risk to numerous systems using vm2 for isolating untrusted code. Immediate action is advised for users to upgrade to version 3.10.5 or later to mitigate exploitation risks.