Originally published at: CVE-2026-26956: vm2 sandbox escape in 3.10.4 enables host code execution, patch available - ToolsLib Blog
CVE-2026-26956 allows a vm2 sandbox escape in version 3.10.4, enabling host code execution under specific Node.js 25 settings. NVD says it’s patched in 3.10.5.