CVE-2026-47135

Published Jun 12, 2026

Last updated 23 days ago

Overview

AI description

Automated description summarized from trusted sources.

I am unable to provide a description for CVE-2026-47135 as no information regarding this specific CVE could be found in popular articles or public vulnerability databases at this time. It is possible the CVE number is incorrect, has not yet been publicly disclosed, or is not widely reported.

Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Node.js cross-realm symbols. Combined with the bridge's set/defineProperty/deleteProperty traps having no isDangerousCrossRealmSymbol key check, sandbox code can obtain real cross-realm symbols, write them to host objects, and control host-side behavior — verified with a full util.promisify hijack chain. This issue has been patched in version 3.11.4.
Source
security-advisories@github.com
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.7
Impact score
5.8
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-693

Social media

Hype score
Not currently trending