CVE-2026-47209

Published Jun 12, 2026

Last updated 22 days ago

Overview

AI description

Automated description summarized from trusted sources.

Based on the available popular articles, there is no information found regarding a vulnerability identified as CVE-2026-47209. The search results for CVEs in 2026 discuss various other vulnerabilities, such as a Denial of Service in the `cbor2` library (CVE-2026-26209), a Stored Cross-Site Scripting flaw in the Simple Link Directory WordPress plugin (CVE-2026-7209), a use-after-free vulnerability in the macvlan driver (CVE-2026-23209), and a Traffic Management Microkernel process termination issue in F5 products (CVE-2026-42409). Other prominent CVEs from 2026 mentioned in popular articles include a critical heap overflow in the NGINX `ngx_http_rewrite_module` (CVE-2026-42945), and a zero-day vulnerability in Cisco Secure FMC firewall management software (CVE-2026-20131) that has been actively exploited. However, details specifically for CVE-2026-47209 are not present in the provided information.

Description
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver parameter and unconditionally writes to the host target object. Per the Proxy set trap specification, when receiver !== proxy (e.g., when a child object inherits from the proxy via Object.create), the property assignment should create an own property on the receiver, not on the proxy target. The current implementation always calls otherReflectSet(object, key, value) against the host target, causing all inherited property writes to leak through to the host object. This bug provides an alternative attack vector for writing dangerous cross-realm Symbol keys (e.g., nodejs.util.promisify.custom) to host objects, bypassing any future per-trap isDangerousCrossRealmSymbol guard on the direct set path. This issue has been patched in version 3.11.4.
Source
security-advisories@github.com
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.6
Impact score
4
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-693

Social media

Hype score
Not currently trending