Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-24781 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-24781 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-24781 is a sandbox escape vulnerability in vm2, an open source Node.js sandboxing library maintained by the Vm2 Project, allowing attackers to break out of the isolated execution environment through the inspect function.

Technical Detail

The flaw exists in vm2 versions prior to 3.11.0, where the inspect function fails to properly restrict access to the host Node.js runtime from within the sandboxed context. An attacker who can supply or influence code executed inside the vm2 sandbox can craft a payload that leverages the inspect function to escape the sandbox boundary and execute arbitrary code in the host process. Successful exploitation results in full remote code execution at the privilege level of the Node.js process running the sandbox, effectively nullifying the security guarantees vm2 is intended to provide.

Exploitation Status

No known exploit code has been publicly identified at this time, and this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is assessed as no known exploit, meaning there is no confirmed public proof-of-concept or observed in-the-wild exploitation as of May 11, 2026. However, the critical CVSS score of 9.8 and the straightforward nature of sandbox escape primitives in vm2 warrant treating this with urgency regardless of current exploitation status.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns, targeted sectors, or adversary groups have been linked to this vulnerability in available intelligence. Given that vm2 is widely used in multi-tenant and developer tooling environments, opportunistic actors targeting Node.js infrastructure should be considered a plausible threat class if exploitation capability matures.

What To Do

Upgrade vm2 to version 3.11.0 or later immediately. Organizations running any version of vm2 prior to 3.11.0 in production environments, particularly those accepting untrusted code input for sandboxed execution, should treat this as a priority patch given the critical severity rating and the complete loss of sandbox isolation upon exploitation. If immediate patching is not feasible, consider disabling or restricting access to any application functionality that passes untrusted input into vm2 sandbox instances as an interim control. Detection should focus on anomalous process behavior originating from Node.js worker processes, unexpected child process spawning, or file system access patterns inconsistent with sandboxed application logic.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →