Home / Vulnerability Intelligence / CVE-2026-24118

CVE-2026-24118 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: May 4, 2026

VM2 - Command Injection

Published: May 4, 2026Updated: May 4, 2026Remote Exploitable

Overview

VM2 < 3.11.0 contains a sandbox breakout vulnerability caused by insufficient isolation in the sandbox, letting attackers execute arbitrary commands on the host system, exploit requires attacker to run code inside the sandbox.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can escape the sandbox and execute arbitrary commands on the host, leading to full system compromise.

Mitigation

Upgrade to version 3.11.0 or later.

References

https://github.com/patriksimek/vm2/commit/2b5f3e3a060d9088f5e1cdd585d683d491f990a3
https://github.com/patriksimek/vm2/commit/f9b700b1c7d9ef2df416666cb24e0b659140cc74
https://github.com/patriksimek/vm2/releases/tag/v3.11.0
https://github.com/patriksimek/vm2/security/advisories/GHSA-grj5-jjm8-h35p

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-24118
Severity: Critical
CVSS Score: 9.8
Type: command_injection
Status: new

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H