NVD · CVE-2026-26332

CVE-2026-26332

Published: Mon, 04 May 2026 17:16

CVE-2026-26332

Summary

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

Are YOU affected by CVE-2026-26332?

5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether CVE-2026-26332 (and any other live CVE) applies. Anonymous, no signup.

curl https://mindsparkstack.com/scan.sh | bash

Form-based quickscan Read the bash source first

References

https://github.com/patriksimek/vm2/releases/tag/v3.11.0
https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95
https://github.com/patriksimek/vm2/security/advisories/GHSA-55hx-c926-fr95

Want this automated for your servers?

StackPatch runs this match against YOUR installed packages every hour

Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.

Buy lifetime →See StackPatch →Live audit log →