Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-24118 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-24118 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-24118 is a sandbox escape vulnerability in vm2, an open source Node.js sandboxing library maintained by the Vm2 Project, allowing untrusted code executing within the vm2 sandbox to break out and interact with the host environment.

Technical Detail

The flaw exists in vm2 versions prior to 3.11.0 and stems from insufficient isolation controls within the sandbox implementation, enabling an attacker to craft malicious JavaScript that escapes the intended execution boundary. Once the sandbox is bypassed, the attacker gains access to the underlying Node.js runtime and host system, which in practice means arbitrary code execution (RCE) in the context of the process running vm2. Applications that accept and execute untrusted user-supplied code through vm2 are directly exposed, and successful exploitation requires no authentication if the vm2 instance is reachable by an attacker-controlled input.

Exploitation Status

No known exploit has been publicly documented or confirmed at this time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog as of May 11, 2026. Despite the absence of confirmed exploitation, the critical CVSS score of 9.8 and the nature of sandbox escape vulnerabilities warrant treating this as high priority for patching without waiting for exploitation evidence to emerge.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence. Given the widespread use of vm2 in developer tooling, code execution platforms, and cloud-based sandboxing services, opportunistic actors targeting Node.js infrastructure should be considered a plausible threat class.

What To Do

Upgrade vm2 to version 3.11.0 or later immediately. Organizations running any application that passes untrusted input to vm2 for execution should treat this as an urgent patch given the critical severity rating and the RCE potential. If upgrading is not immediately possible, restrict or disable any functionality that allows user-controlled code to be evaluated through vm2 as an interim measure. Audit dependencies across Node.js application stacks to identify transitive use of vm2, as the library is commonly included indirectly. Monitor process execution and file system activity originating from Node.js processes for anomalous behavior as a detection signal pending patch deployment.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →