CVE-2026-43998 - Vulnerability Analysis
HighCVSS: 8.5Last Updated: May 14, 2026
vm2 - Remote Code Execution
Overview
vm2 3.10.5 contains a remote code execution caused by bypassing NodeVM's require.root path restriction using filesystem symlinks, letting sandboxed attackers load modules outside allowed root, exploit requires crafted symlinks.
Severity & Score
Impact
Sandboxed attackers can execute arbitrary code on the host, leading to full system compromise.
Mitigation
Update to version 3.11.0 or later.
Social Media Activity(2 posts)
š CVE-2026-43998 - High (8.5) vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because pat... š https://www.thehackerwire.com/vulnerability/CVE-2026-43998/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-43998 - High (8.5) vm2 is an open source vm/sandbox for Node.js. In 3.10.5, NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because pat... š https://www.thehackerwire.com/vulnerability/CVE-2026-43998/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-43998
- Severity
- High
- CVSS Score
- 8.5
- Type
- command_injection
- Status
- confirmed
- EPSS
- 19.9%
- Social Posts
- 2
CWE
- CWE-59
CVSS Metrics
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H