AI description
Based on the available popular articles, there is no information found regarding a vulnerability identified as CVE-2026-47209. The search results for CVEs in 2026 discuss various other vulnerabilities, such as a Denial of Service in the `cbor2` library (CVE-2026-26209), a Stored Cross-Site Scripting flaw in the Simple Link Directory WordPress plugin (CVE-2026-7209), a use-after-free vulnerability in the macvlan driver (CVE-2026-23209), and a Traffic Management Microkernel process termination issue in F5 products (CVE-2026-42409). Other prominent CVEs from 2026 mentioned in popular articles include a critical heap overflow in the NGINX `ngx_http_rewrite_module` (CVE-2026-42945), and a zero-day vulnerability in Cisco Secure FMC firewall management software (CVE-2026-20131) that has been actively exploited. However, details specifically for CVE-2026-47209 are not present in the provided information.
- Description
- vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy (e.g., when a child object inherits from the proxy via Object.create), the property assignment should create an own property on the receiver, not on the proxy target. The current implementation always calls otherReflectSet(object, key, value) against the host target, causing all inherited property writes to leak through to the host object. This bug provides an alternative attack vector for writing dangerous cross-realm Symbol keys (e.g., nodejs.util.promisify.custom) to host objects, bypassing any future per-trap isDangerousCrossRealmSymbol guard on the direct set path. This issue has been patched in version 3.11.4.
- Source
- security-advisories@github.com
- NVD status
- Deferred
CVSS 3.1
- Type
- Secondary
- Base score
- 8.6
- Impact score
- 4
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-693
- Hype score
- Not currently trending
🚨 HIGH: CVE-2026-47209 in vm2 Node.js sandbox (CVSS 8.6). Proxy handler flaw allows cross-realm property writes to host objects, bypassing security isolation. Patch to v3.11.4+ immediately. #CVE #PatchNow #NodeJS https://t.co/WqgIpNoi82
@DFIR_Lab
13 Jun 2026
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
vm2 cve*3 1 Critical10/ 10 2 high CVE-2026-47137 CVE-2026-47209 CVE-2026-47135 https://t.co/mVLkWf7QCs
@q1uf3ng
19 May 2026
4469 Impressions
3 Retweets
46 Likes
22 Bookmarks
0 Replies
0 Quotes