AI description
CVE-2026-47137 identifies a security vulnerability found in Totolink A8000RU firmware version 7.1cu.643_b20200521. This flaw specifically impacts the `setStorageCfg` function located within the `/cgi-bin/cstecgi.cgi` file, which is part of the device's CGI Handler component. The vulnerability allows for OS command injection through the manipulation of the `sambaEnabled` argument. This issue can be exploited remotely, and details of the exploit have been publicly disclosed.
- Description
- vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodevm.js line 263 that blocks the combination nesting: true + require: false. However, the check uses strict equality (options.require === false), which is trivially bypassed by omitting the require option entirely. When require is not specified, options.require is undefined, not false. The strict equality check fails, so the security guard is skipped. Immediately after (line 280), the destructuring default require: requireOpts = false assigns requireOpts = false, producing the exact configuration the patch was designed to prevent. This issue has been patched in version 3.11.4.
- Source
- security-advisories@github.com
- NVD status
- Deferred
CVSS 3.1
- Type
- Secondary
- Base score
- 10
- Impact score
- 6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-913
- Hype score
- Not currently trending
CVSS 10.0 in vm2 (npm). CVE-2026-47137 is a sandbox escape that bypasses the fix for CVE-2023-37903 - unauthenticated, no interaction needed, full compromise possible. If vm2 is in your stack, treat this as critical. #nodejs #security https://t.co/mpwdoehrZO https://t.co/y3riLEpa
@SecAlertsCo
30 May 2026
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
vm2 cve*3 1 Critical10/ 10 2 high CVE-2026-47137 CVE-2026-47209 CVE-2026-47135 https://t.co/mVLkWf7QCs
@q1uf3ng
19 May 2026
4469 Impressions
3 Retweets
46 Likes
22 Bookmarks
0 Replies
0 Quotes