ByteOS Network

NVD Vulnerability Details :

CVE-2026-47140

Deferred

Source-security-advisories@github.com

Published At-12 Jun, 2026 | 15:16

Updated At-12 Jun, 2026 | 17:16

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_threads, cluster, vm, repl, and inspector. However, the denylist misses process and inspector/promises. Both can be used from sandboxed code to reach host-side execution primitives. This allows sandboxed code to bypass the intended builtin restrictions and execute code in the host process. This issue has been patched in version 3.11.4.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	10.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 10.0

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weaknesses

CWE ID	Type	Source
CWE-693	Secondary	security-advisories@github.com

CWE ID: CWE-693

Type: Secondary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/patriksimek/vm2/commit/a1ed47a98d1cc36cb48c0d566d55889688e0b59b	security-advisories@github.com	N/A
https://github.com/patriksimek/vm2/releases/tag/v3.11.4	security-advisories@github.com	N/A
https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4	security-advisories@github.com	N/A
https://github.com/patriksimek/vm2/security/advisories/GHSA-rp36-8xq3-r6c4	134c704f-9b21-4f2e-91b3-4a467353bcc0	N/A