{"vulnerability": "CVE-2026-26956", "sightings": [{"uuid": "2a0581fc-e62b-417b-90e5-90c052e01364", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26956", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3ml2cftc6av2t", "content": "\ud83d\udd34 CVE-2026-26956 - Critical (9.8)\n\nvm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbo...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-26956/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-04T18:28:08.903294Z"}, {"uuid": "8e69a84f-5ffe-42dd-8268-2a433e09f25e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26956", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3ml2cgqpign2g", "content": "\ud83d\udd34 CVE-2026-26956 - Critical (9.8)\n\nvm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbo...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-26956/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-04T18:28:40.083370Z"}, {"uuid": "5ec0c5ad-a532-4877-aa63-5368bd66f93e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26956", "type": "seen", "source": "https://bsky.app/profile/wasm.activitypub.awakari.com.ap.brid.gy/post/3mlabwuv4hry2", "content": "vm2 CVE-2026-26956: Node.js sandbox escape enables host code execution A critical sandbox-escape vulnerability in the popular Node.js library vm2 can let untrusted code break out of the VM and reac...\n\n#News\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-07T03:35:45.813116Z"}, {"uuid": "b4f83386-3973-41c7-86c6-633bf6fdc41f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-26956", "type": "seen", "source": "https://bsky.app/profile/ahmandonk.bsky.social/post/3ml7zg7y7x72r", "content": "\ud83d\udcf0 Bug Kritis 'Sandbox' vm2 Izinkan Penyerang Eksekusi Kode Berbahaya di Sistem Host\n\n\ud83d\udc49 Baca artikel lengkap di sini: https://ahmandonk.com/2026/05/07/bug-kritis-sandbox-vm2-izinkan-penyerang-eksekusi-kode-di-host/\n\n#ahmandonkTechNews #beritaTeknologi #cve-2026-26956 #cybercrime #javascript #ke", "creation_timestamp": "2026-05-07T01:03:16.909138Z"}, {"uuid": "9a5d693b-4372-4538-a2bb-aac6ab7d45c5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26956", "type": "seen", "source": "https://bsky.app/profile/wasm.activitypub.awakari.com.ap.brid.gy/post/3ml7zsygg4zn2", "content": "vm2 CVE-2026-26956: Node.js sandbox escape enables host code execution A critical sandbox-escape vulnerability in the popular Node.js library vm2 can let untrusted code break out of the VM and reac...\n\n#News\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-07T01:12:19.876813Z"}, {"uuid": "3b696101-2e85-44b0-95ec-5632495745e6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26956", "type": "seen", "source": "https://gist.github.com/alon710/4330d672e3cd0f4cc748d6de83e526ff", "content": "# CVE-2026-26956: CVE-2026-26956: WebAssembly Exception Handling Sandbox Escape in vm2\n\n> **CVSS Score:** 9.8\n> **Published:** 2026-05-05\n> **Full Report:** https://cvereports.com/reports/CVE-2026-26956\n\n## Summary\nvm2 versions 3.10.4 and below are vulnerable to a critical sandbox escape flaw resulting in unauthenticated remote code execution. Attackers can leverage Node.js v25 WebAssembly (WASM) exception handling mechanisms to bypass JavaScript-level error instrumentation and gain access to the host-realm execution context.\n\n## TL;DR\nA critical sandbox escape (CVSS 9.8) in vm2 allows attackers to achieve arbitrary code execution by exploiting WebAssembly try_table and JSTag instructions to leak un-sanitized host-realm objects.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-693 (Protection Mechanism Failure)\n- **Attack Vector**: Network (Unauthenticated)\n- **CVSS v3.1**: 9.8 (Critical)\n- **Impact**: Remote Code Execution / Sandbox Escape\n- **Exploit Status**: Proof of Concept Available\n- **Vulnerable Component**: Error instrumentation / handleException()\n\n## Affected Systems\n\n- Node.js applications evaluating untrusted code\n- vm2 versions 3.10.4 and below\n- **vm2**: <= 3.10.4 (Fixed in: `3.10.5`)\n\n## Mitigation\n\n- Upgrade vm2 to patched version 3.10.5.\n- Disable WebAssembly within the vm2 sandbox by setting 'wasm: false'.\n- Migrate to an isolate-based sandboxing library like 'isolated-vm' due to the deprecation of vm2.\n\n**Remediation Steps:**\n1. Identify all projects and transitive dependencies utilizing vm2.\n2. Update the package.json to require vm2 version 3.10.5 or higher.\n3. Run 'npm install' or 'yarn install' to update the dependency tree.\n4. Audit sandbox instantiation code and enforce 'wasm: false' if WebAssembly is not strictly required.\n5. Begin architecture planning to replace vm2 with isolated-vm.\n\n## References\n\n- [GHSA Advisory: GHSA-ffh4-j6h5-pg66](https://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66)\n- [RedHotCyber Vulnerability Report](https://www.redhotcyber.com/en/latest-critical-vulnerabilities/)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-26956) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-05T17:10:29.000000Z"}, {"uuid": "d3ba8219-c71d-4db4-8001-c16f09360631", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26956", "type": "seen", "source": "https://bsky.app/profile/wasm.activitypub.awakari.com.ap.brid.gy/post/3mlbdnxgqise2", "content": "CVE-2026-26956: vm2 Sandbox Escape Enables Host RCE in Node.js 25 CVE-2026-26956: vm2 Sandbox Escape Enables Host RCE in Node.js 25 CVE-2026-26956 is a critical sandbox escape affecting the Node.js...\n\n#Cyber #News\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-07T13:39:27.808205Z"}, {"uuid": "38bec017-27eb-49f7-96c9-fd17d198dbc6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26956", "type": "seen", "source": "https://t.me/true_secator/8184", "content": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0430\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432 \u043f\u043e\u043f\u0443\u043b\u044f\u0440\u043d\u043e\u0439 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0435 Node.js \u0434\u043b\u044f \u0440\u0430\u0431\u043e\u0442\u044b \u0441 \u0438\u0437\u043e\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u0441\u0440\u0435\u0434\u043e\u0439 vm2 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043e\u0431\u043e\u0439\u0442\u0438 \u043f\u0435\u0441\u043e\u0447\u043d\u0438\u0446\u0443 \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u0432 \u0445\u043e\u0441\u0442-\u0441\u0438\u0441\u0442\u0435\u043c\u0435.\n\nvm2 - \u044d\u0442\u043e \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0430 Node.js \u0441 \u043e\u0442\u043a\u0440\u044b\u0442\u044b\u043c \u0438\u0441\u0445\u043e\u0434\u043d\u044b\u043c \u043a\u043e\u0434\u043e\u043c, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u043c\u0430\u044f \u0434\u043b\u044f \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u043d\u0435\u043d\u0430\u0434\u0435\u0436\u043d\u043e\u0433\u043e \u043a\u043e\u0434\u0430 JavaScript \u0432 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u043e\u0439 \u0438\u0437\u043e\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u0441\u0440\u0435\u0434\u0435.\n\n\u041e\u043d\u0430 \u0448\u0438\u0440\u043e\u043a\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u043e\u043d\u043b\u0430\u0439\u043d-\u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430\u043c\u0438 \u0434\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f, \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430\u043c\u0438 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0437\u0430\u0446\u0438\u0438 \u0438 SaaS-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u044e\u0442 \u043f\u0440\u0435\u0434\u043e\u0441\u0442\u0430\u0432\u043b\u0435\u043d\u043d\u044b\u0435 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c \u0441\u043a\u0440\u0438\u043f\u0442\u044b.\n\n\u0411\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0430 \u043f\u044b\u0442\u0430\u0435\u0442\u0441\u044f \u0438\u0437\u043e\u043b\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u043a\u043e\u0434, \u043d\u0430\u0445\u043e\u0434\u044f\u0449\u0438\u0439\u0441\u044f \u0432 \u0432\u044b\u0434\u0435\u043b\u0435\u043d\u043d\u043e\u0439 \u0441\u0440\u0435\u0434\u0435, \u043e\u0442 \u0445\u043e\u0441\u0442-\u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0438 \u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u043a\u043e\u043d\u0444\u0438\u0434\u0435\u043d\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u043c API Node.js, \u0442\u0430\u043a\u0438\u043c \u043a\u0430\u043a \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u044b \u0438 \u0444\u0430\u0439\u043b\u043e\u0432\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430.\n\nvm2 \u0435\u0436\u0435\u043d\u0435\u0434\u0435\u043b\u044c\u043d\u043e \u0441\u043a\u0430\u0447\u0438\u0432\u0430\u044e\u0442 \u0431\u043e\u043b\u0435\u0435 1,3 \u043c\u043b\u043d. \u0440\u0430\u0437\u00a0\u0447\u0435\u0440\u0435\u0437 npm\u00a0(Node Package Manager), \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u0439 \u043c\u0435\u043d\u0435\u0434\u0436\u0435\u0440 \u043f\u0430\u043a\u0435\u0442\u043e\u0432 \u043a\u043e\u043c\u0430\u043d\u0434\u043d\u043e\u0439 \u0441\u0442\u0440\u043e\u043a\u0438 \u0434\u043b\u044f Node.js.\n\n\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043e\u0442\u0441\u043b\u0435\u0436\u0438\u0432\u0430\u0435\u0442\u0441\u044f \u043a\u0430\u043a CVE-2026-26956 \u0438\u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 \u0432\u0435\u0440\u0441\u0438\u044e vm2 3.10.4, \u0431\u043e\u043b\u0435\u0435 \u0440\u0430\u043d\u043d\u0438\u0435 \u0432\u0435\u0440\u0441\u0438\u0438 \u0442\u0430\u043a\u0436\u0435 \u043c\u043e\u0433\u0443\u0442 \u0431\u044b\u0442\u044c \u0443\u044f\u0437\u0432\u0438\u043c\u044b. \u0427\u0442\u043e \u0432\u0430\u0436\u043d\u043e \u043e\u0442\u043c\u0435\u0442\u0438\u0442\u044c - PoC \u0443\u0436\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0435\u043d.\n\n\u0412 \u0443\u0432\u0435\u0434\u043e\u043c\u043b\u0435\u043d\u0438\u0438 \u0441\u043e\u043f\u0440\u043e\u0432\u043e\u0436\u0434\u0430\u044e\u0449\u0438\u0439 \u043f\u0440\u043e\u0435\u043a\u0442\u0430 \u0437\u0430\u044f\u0432\u043b\u044f\u0435\u0442, \u0447\u0442\u043e \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0437\u0430\u0442\u0440\u0430\u0433\u0438\u0432\u0430\u0435\u0442 \u0442\u043e\u043b\u044c\u043a\u043e \u0441\u0440\u0435\u0434\u044b \u0441 Node.js 25 (\u043f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u043e \u043d\u0430 Node.js 25.6.1), \u0432 \u043a\u043e\u0442\u043e\u0440\u044b\u0445 \u0432\u043a\u043b\u044e\u0447\u0435\u043d\u0430 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0430 \u0438\u0441\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0439 WebAssembly \u0438 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430 JSTag.\n\nCVE-2026-26956 \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043e\u0447\u043d\u043e\u0439 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u043e\u0439 \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u043e\u0439 \u0438\u0441\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0439, \u0432\u043e\u0437\u043d\u0438\u043a\u0430\u044e\u0449\u0438\u0445 \u043f\u0440\u0438 \u043f\u0435\u0440\u0435\u0445\u043e\u0434\u0435 \u043c\u0435\u0436\u0434\u0443 \u0438\u0437\u043e\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u043e\u0439 \u0441\u0440\u0435\u0434\u043e\u0439 \u0438 \u0445\u043e\u0441\u0442\u043e\u043c.\n\n\u0412 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u044f\u0445 \u043f\u043e\u044f\u0441\u043d\u044f\u0435\u0442\u0441\u044f\u00a0, \u0447\u0442\u043e vm2 \u043e\u0431\u044b\u0447\u043d\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0437\u0430\u0449\u0438\u0442\u044b \u043d\u0430 \u0443\u0440\u043e\u0432\u043d\u0435 JavaScript, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u043f\u0440\u0435\u0434\u043e\u0442\u0432\u0440\u0430\u0449\u0430\u044e\u0442 \u043e\u0448\u0438\u0431\u043a\u0438 \u043d\u0430 \u0443\u0440\u043e\u0432\u043d\u0435 \u0445\u043e\u0441\u0442\u0430, \u0438 \u043f\u0440\u043e\u043a\u0441\u0438-\u0441\u0435\u0440\u0432\u0435\u0440\u044b, \u043a\u043e\u0442\u043e\u0440\u044b\u0435 \u0438\u043d\u043a\u0430\u043f\u0441\u0443\u043b\u0438\u0440\u0443\u044e\u0442 \u043e\u0431\u044a\u0435\u043a\u0442\u044b, \u0440\u0430\u0431\u043e\u0442\u0430\u044e\u0449\u0438\u0435 \u0432 \u0440\u0430\u0437\u043d\u044b\u0445 \u043a\u043e\u043d\u0442\u0435\u043a\u0441\u0442\u0430\u0445, \u0438 \u0432\u0441\u0451 \u044d\u0442\u043e \u043f\u043e\u043b\u043d\u043e\u0441\u0442\u044c\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0435\u0442\u0441\u044f \u0432 \u0440\u0430\u043c\u043a\u0430\u0445 JavaScript.\n\n\u041e\u0434\u043d\u0430\u043a\u043e \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0430 \u0438\u0441\u043a\u043b\u044e\u0447\u0435\u043d\u0438\u0439 WebAssembly \u043c\u043e\u0436\u0435\u0442 \u043f\u0435\u0440\u0435\u0445\u0432\u0430\u0442\u044b\u0432\u0430\u0442\u044c \u043e\u0448\u0438\u0431\u043a\u0438 JavaScript \u043d\u0430 \u0431\u043e\u043b\u0435\u0435 \u043d\u0438\u0437\u043a\u043e\u043c \u0443\u0440\u043e\u0432\u043d\u0435 \u0432\u043d\u0443\u0442\u0440\u0438 \u0434\u0432\u0438\u0436\u043a\u0430 V8 \u043e\u0442 Google, \u043e\u0431\u0445\u043e\u0434\u044f \u043e\u0441\u043d\u043e\u0432\u0430\u043d\u043d\u044b\u0435 \u043d\u0430 JavaScript \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0437\u0430\u0449\u0438\u0442\u044b vm2.\n\n\u0417\u0430\u043f\u0443\u0441\u0442\u0438\u0432 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u0443\u044e \u043e\u0448\u0438\u0431\u043a\u0443 TypeError \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u043f\u0440\u0435\u043e\u0431\u0440\u0430\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u0441\u0438\u043c\u0432\u043e\u043b\u0430 \u0432 \u0441\u0442\u0440\u043e\u043a\u0443, \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0438 \u043c\u043e\u0433\u0443\u0442 \u0434\u043e\u0431\u0438\u0442\u044c\u0441\u044f \u0443\u0442\u0435\u0447\u043a\u0438 \u043e\u0431\u044a\u0435\u043a\u0442\u0430 \u043e\u0448\u0438\u0431\u043a\u0438 \u043d\u0430 \u0441\u0442\u043e\u0440\u043e\u043d\u0435 \u0445\u043e\u0441\u0442\u0430 \u043e\u0431\u0440\u0430\u0442\u043d\u043e \u0432 \u043f\u0435\u0441\u043e\u0447\u043d\u0438\u0446\u0443 \u0431\u0435\u0437 \u043f\u0440\u0435\u0434\u0432\u0430\u0440\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0438 \u0441\u043e \u0441\u0442\u043e\u0440\u043e\u043d\u044b vm2.\n\n\u041f\u043e\u0441\u043a\u043e\u043b\u044c\u043a\u0443 \u0443\u0442\u0435\u0447\u043a\u0430 \u043e\u0431\u044a\u0435\u043a\u0442\u0430 \u043f\u0440\u043e\u0438\u0441\u0445\u043e\u0434\u0438\u0442 \u0438\u0437 \u0441\u0440\u0435\u0434\u044b \u0445\u043e\u0441\u0442\u0430, \u0437\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a\u0438 \u043c\u043e\u0433\u0443\u0442 \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u044c \u0446\u0435\u043f\u043e\u0447\u043a\u0443 \u0435\u0433\u043e \u043a\u043e\u043d\u0441\u0442\u0440\u0443\u043a\u0442\u043e\u0440\u043e\u0432 \u0434\u043b\u044f \u0432\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0434\u043e\u0441\u0442\u0443\u043f\u0430 \u043a \u0432\u043d\u0443\u0442\u0440\u0435\u043d\u043d\u0438\u043c \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0430\u043c Node.js, \u0432\u043a\u043b\u044e\u0447\u0430\u044f \u043e\u0431\u044a\u0435\u043a\u0442 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430, \u0447\u0442\u043e \u0432 \u043a\u043e\u043d\u0435\u0447\u043d\u043e\u043c \u0438\u0442\u043e\u0433\u0435 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442 \u0432\u044b\u043f\u043e\u043b\u043d\u044f\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0435 \u0445\u043e\u0441\u0442\u0430.\n\n\u041f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f\u043c vm2 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u043a\u0430\u043a \u043c\u043e\u0436\u043d\u043e \u0441\u043a\u043e\u0440\u0435\u0435 \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c\u0441\u044f \u0434\u043e\u00a0\u0432\u0435\u0440\u0441\u0438\u0438 3.10.5 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 (\u043f\u043e\u0441\u043b\u0435\u0434\u043d\u044f\u044f \u0432\u0435\u0440\u0441\u0438\u044f - 3.11.2), \u0447\u0442\u043e\u0431\u044b \u0441\u043d\u0438\u0437\u0438\u0442\u044c \u0440\u0438\u0441\u043a \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 CVE-2026-26956.", "creation_timestamp": "2026-05-07T18:10:06.000000Z"}, {"uuid": "49e83cd6-b665-49d5-9dda-3666445c36c7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26956", "type": "seen", "source": "https://bsky.app/profile/wasm.activitypub.awakari.com.ap.brid.gy/post/3mlbhwjl3exe2", "content": "CVE-2026-26956: vm2 Sandbox Escape Enables Host RCE in Node.js 25 CVE-2026-26956: vm2 Sandbox Escape Enables Host RCE in Node.js 25 Introduction to Malware Binary Triage (IMBT) Course Looking to le...\n\n#Malware #News\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-07T14:55:40.024993Z"}, {"uuid": "f2e8293a-ff05-49b3-aa94-151bc15c8e5e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26956", "type": "seen", "source": "https://bsky.app/profile/wasm.activitypub.awakari.com.ap.brid.gy/post/3mlc3nmmyg6w2", "content": "vm2 CVE-2026-26956: Node.js sandbox escape enables host code execution A critical sandbox-escape flaw in vm2 3.10.4 can let untrusted Node.js code reach the host environment. Upgrade to vm2 3.10.5 ...\n\n#News\n\nOrigin | Interest | Match", "creation_timestamp": "2026-05-07T20:51:22.041671Z"}, {"uuid": "d869b93c-4bdb-4a21-95d9-a4242ad76411", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-26956", "type": "seen", "source": "https://t.me/bdufstecru/3146", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 VM.run() \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 vm2 \u043f\u0430\u043a\u0435\u0442\u043d\u043e\u0433\u043e \u043c\u0435\u043d\u0435\u0434\u0436\u0435\u0440\u0430 NPM \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435\u043c \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0430 \u0437\u0430\u0449\u0438\u0442\u044b \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434\n\nBDU:2026-06428\nCVE-2026-26956\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://github.com/patriksimek/vm2/security/advisories/GHSA-ffh4-j6h5-pg66", "creation_timestamp": "2026-05-08T14:03:16.000000Z"}]}