216.73.217.98

CVE-2026-44002

· Published 13/05/2026 18:16 · Modified 14/05/2026 15:23

Labels: CVE-2026-44002 2026-05-13CVE-2026-44002CWE-209[email protected]

Essential information

Published
13/05/2026 18:16
Modified
14/05/2026 15:23
Author
Creator
CVSS
5.8 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CVSS metrics

Description

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's CallSite wrapper class (intended as a safe wrapper for V8's native CallSite) blocks getThis() and getFunction() to prevent host object leakage, but allows getFileName() to return unsanitized host absolute paths. Any sandboxed code can extract the full directory structure, library paths, and framework versions of the host server. This vulnerability is fixed in 3.11.0.

NVD status

Status
Analyzed — CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
vm2 project / vm2 cpe:2.3:a:vm2_project:vm2:*:*:*:*:*:node.js:*:*

References