CVE-2026-45411 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: May 14, 2026
vm2 - Command Injection
Overview
vm2 < 3.11.3 contains a command injection caused by improper exception handling in async generator's yield* expression, letting attackers escape the sandbox and execute arbitrary commands on the host system, exploit requires crafted async generator usage.
Severity & Score
Impact
Attackers can escape the sandbox and execute arbitrary commands on the host system, leading to full system compromise.
Mitigation
Update to version 3.11.3 or later.
Social Media Activity(2 posts)
š“ CVE-2026-45411 - Critical (9.8) vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exce... š https://www.thehackerwire.com/vulnerability/CVE-2026-45411/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-45411 - Critical (9.8) vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exce... š https://www.thehackerwire.com/vulnerability/CVE-2026-45411/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-45411
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- command_injection
- Status
- confirmed
- EPSS
- 5.4%
- Social Posts
- 2
CWE
- CWE-668
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H