Vendor
A critical vulnerability, CVE-2026-26956, exists in vm2 version 3.10.4 when running on Node.js v25.6.1 (x64 Linux), allowing a full sandbox escape with arbitrary code execution through attacker-controlled code passed to `VM.run()`.