CVE-2026-44007 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: May 14, 2026
vm2 - Command Injection
Overview
vm2 < 3.11.1 contains a command injection caused by unrestricted require('vm2') in nested NodeVMs, letting sandboxed attackers execute arbitrary OS commands on the host, exploit requires nesting: true configuration.
Severity & Score
Impact
Sandboxed attackers can execute arbitrary OS commands on the host, leading to full system compromise.
Mitigation
Update to version 3.11.1 or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-44007 - Critical (9.1) vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration ā including require: false. With acces... š https://www.thehackerwire.com/vulnerability/CVE-2026-44007/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-44007 - Critical (9.1) vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration ā including require: false. With acces... š https://www.thehackerwire.com/vulnerability/CVE-2026-44007/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-44007
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- command_injection
- Status
- confirmed
- EPSS
- 3.6%
- Social Posts
- 2
CWE
- CWE-284
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H