CVE-2026-44006 - Vulnerability Analysis
CriticalCVSS: 10.0Last Updated: May 14, 2026
vm2 - Prototype Pollution
Overview
vm2 < 3.11.0 contains a prototype pollution caused by access to BaseHandler.getPrototypeOf, letting attackers retrieve arbitrary prototypes, exploit requires no special privileges.
Severity & Score
Impact
Attackers can retrieve arbitrary prototypes, potentially leading to further prototype pollution or privilege escalation.
Mitigation
Update to version 3.11.0 or later.
Social Media Activity(2 posts)
š“ CVE-2026-44006 - Critical (10) vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0. š https://www.thehackerwire.com/vulnerability/CVE-2026-44006/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-44006 - Critical (10) vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0. š https://www.thehackerwire.com/vulnerability/CVE-2026-44006/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-44006
- Severity
- Critical
- CVSS Score
- 10.0
- Type
- prototype_pollution
- Status
- confirmed
- EPSS
- 4.8%
- Social Posts
- 2
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H