These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-47210 is a critical sandbox escape vulnerability in vm2, an open-source vm/sandbox for Node.js. The vulnerability allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI. This issue was patched in version 3.11.4.
CVE-2026-47209 is a HIGH severity vulnerability in vm2, an open-source vm/sandbox for Node.js. The vulnerability allows for a sandbox bypass due to improper set trap implementation in the BaseHandler, enabling an attacker to write to the host target object. This could lead to the bypassing of future security guards and the writing of dangerous cross-realm Symbol keys to host objects.
CVE-2026-47141 is a vulnerability in vm2, an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins when they are allowed through require.builtin. The diagnostics_channel, async_hooks, and perf_hooks builtins are not blocked by the dangerous builtin denylist. These modules are process-wide, not sandbox-local. Sandboxed code can use them to obse [truncated]
CVE-2026-47139 is a HIGH severity vulnerability in vm2, an open-source vm/sandbox for Node.js. The vulnerability allows sandboxed code to make outbound HTTP(S) requests and open listening HTTP sockets, despite the public network modules being denied. This is possible due to the exposure of underscored internal HTTP builtins such as _http_client and _http_server, which are not blocked when public modules are excluded.
CVE-2026-47137 is a critical vulnerability in vm2, an open-source vm/sandbox for Node.js. Prior to version 3.11.4, a fix introduced for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) was incomplete. The check in nodevm.js line 263 blocks the combination nesting: true + require: false using strict equality (options.require === false). However, this check can be bypassed by omitting the require option entirely, causi [truncated]
CVE-2026-47135 is a HIGH-severity vulnerability in vm2, an open-source vm/sandbox for Node.js. Prior to version 3.11.4, the Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. This allows sandbox code to obtain real cross-realm symbols, write them to host objects, and control host-side behavior. The vulnerability has been patched in version 3.11.4.
CVE-2026-47131 is a critical vulnerability in vm2, an open-source vm/sandbox for Node.js. The vulnerability allows attackers to escape the sandbox and run arbitrary code. This is achieved by combining Buffer.call.call({}.__lookupGetter__, Buffer, '__proto__'), Buffer.call.call({}.__lookupSetter__, Buffer, '__proto__'), and Node.js's ERR_INVALID_ARG_TYPE Error, which allows the host's TypeError constructor [truncated]