PatchSiren cyber security CVE debrief
CVE-2026-47141 patriksimek CVE debrief
CVE-2026-47141 is a vulnerability in vm2, an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The diagnostics_channel, async_hooks, and perf_hooks builtins are not blocked by the dangerous builtin denylist. These modules are process-wide, not sandbox-local. Sandboxed code can use them to observe host application data across the vm2 boundary. This issue has been patched in version 3.11.4.
- Vendor
- patriksimek
- Product
- vm2
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-13
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-13
Who should care
Users of vm2, an open source vm/sandbox for Node.js, should be aware of this vulnerability if they use versions prior to 3.11.4.
Technical summary
CVE-2026-47141 has a CVSS score of 6.9 and is classified as MEDIUM severity. The vulnerability allows sandboxed code to access process-wide observability builtins, potentially exposing host application data.
Defensive priority
MEDIUM
Recommended defensive actions
- Update vm2 to version 3.11.4 or later.
- Review and restrict the use of require.builtin in sandboxed environments.
Evidence notes
CVE-2026-47141 was published on 2026-06-12T15:16:28.537Z and modified on 2026-06-13T04:17:30.950Z.
Official resources
CVE-2026-47141 was patched in version 3.11.4 of vm2.