https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Wed, 03 Jun 2026 03:54:25 +0000 https://vulnerability.circl.lu/sighting/537005f4-f35e-4f4b-bcec-e92abf908b62/export {"uuid": "537005f4-f35e-4f4b-bcec-e92abf908b62", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-24127", "type": "seen", "source": "https://bsky.app/profile/securitycipher.bsky.social/post/3mdunf4agu22k", "content": "", "creation_timestamp": "2026-02-02T10:32:15.721987Z"} {"uuid": "537005f4-f35e-4f4b-bcec-e92abf908b62", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-24127", "type": "seen", "source": "https://bsky.app/profile/securitycipher.bsky.social/post/3mdunf4agu22k", "content": "", "creation_timestamp": "2026-02-02T10:32:15.721987Z"} https://vulnerability.circl.lu/sighting/537005f4-f35e-4f4b-bcec-e92abf908b62/export Mon, 02 Feb 2026 10:32:15 +0000 https://vulnerability.circl.lu/sighting/361fbc33-00e1-4469-91a4-8dd6fe964e87/export {"uuid": "361fbc33-00e1-4469-91a4-8dd6fe964e87", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24128", "type": "seen", "source": "https://bsky.app/profile/beikokucyber.bsky.social/post/3mdyb3paipn2c", "content": "", "creation_timestamp": "2026-02-03T21:02:57.544759Z"} {"uuid": "361fbc33-00e1-4469-91a4-8dd6fe964e87", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24128", "type": "seen", "source": "https://bsky.app/profile/beikokucyber.bsky.social/post/3mdyb3paipn2c", "content": "", "creation_timestamp": "2026-02-03T21:02:57.544759Z"} https://vulnerability.circl.lu/sighting/361fbc33-00e1-4469-91a4-8dd6fe964e87/export Tue, 03 Feb 2026 21:02:57 +0000 https://vulnerability.circl.lu/sighting/e26d5087-2883-4c51-a104-76dbe5a35e39/export {"uuid": "e26d5087-2883-4c51-a104-76dbe5a35e39", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24122", "type": "seen", "source": "https://gist.github.com/alon710/ee16e9aabb8895513a00d88d6dc1ac96", "content": "", "creation_timestamp": "2026-02-19T22:40:39.000000Z"} {"uuid": "e26d5087-2883-4c51-a104-76dbe5a35e39", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24122", "type": "seen", "source": "https://gist.github.com/alon710/ee16e9aabb8895513a00d88d6dc1ac96", "content": "", "creation_timestamp": "2026-02-19T22:40:39.000000Z"} https://vulnerability.circl.lu/sighting/e26d5087-2883-4c51-a104-76dbe5a35e39/export Thu, 19 Feb 2026 22:40:39 +0000 https://vulnerability.circl.lu/sighting/d60def68-606b-418e-b172-9f776ed384bd/export {"uuid": "d60def68-606b-418e-b172-9f776ed384bd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-24125", "type": "published-proof-of-concept", "source": "https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj", "content": "", "creation_timestamp": "2026-03-12T05:10:17.000000Z"} {"uuid": "d60def68-606b-418e-b172-9f776ed384bd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2026-24125", "type": "published-proof-of-concept", "source": "https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj", "content": "", "creation_timestamp": "2026-03-12T05:10:17.000000Z"} https://vulnerability.circl.lu/sighting/d60def68-606b-418e-b172-9f776ed384bd/export Thu, 12 Mar 2026 05:10:17 +0000 https://vulnerability.circl.lu/sighting/2737cdbb-3597-4ef7-bad9-ed04d5224b6b/export {"uuid": "2737cdbb-3597-4ef7-bad9-ed04d5224b6b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24125", "type": "seen", "source": "https://gist.github.com/alon710/84a60be2b0bbf202946e3bdc9c48b627", "content": "", "creation_timestamp": "2026-03-12T18:10:06.000000Z"} {"uuid": "2737cdbb-3597-4ef7-bad9-ed04d5224b6b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24125", "type": "seen", "source": "https://gist.github.com/alon710/84a60be2b0bbf202946e3bdc9c48b627", "content": "", "creation_timestamp": "2026-03-12T18:10:06.000000Z"} https://vulnerability.circl.lu/sighting/2737cdbb-3597-4ef7-bad9-ed04d5224b6b/export Thu, 12 Mar 2026 18:10:06 +0000 https://vulnerability.circl.lu/sighting/81cfd8f1-6c19-4163-8768-39399b6e5108/export {"uuid": "81cfd8f1-6c19-4163-8768-39399b6e5108", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-2412", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mhrckrflii2d", "content": "", "creation_timestamp": "2026-03-24T00:21:21.719775Z"} {"uuid": "81cfd8f1-6c19-4163-8768-39399b6e5108", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-2412", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mhrckrflii2d", "content": "", "creation_timestamp": "2026-03-24T00:21:21.719775Z"} https://vulnerability.circl.lu/sighting/81cfd8f1-6c19-4163-8768-39399b6e5108/export Tue, 24 Mar 2026 00:21:21 +0000 https://vulnerability.circl.lu/sighting/7ecf264b-d3ca-42fb-b5f2-129d5e2e50aa/export {"uuid": "7ecf264b-d3ca-42fb-b5f2-129d5e2e50aa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24120", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3ml2ckkquyt2l", "content": "\ud83d\udd34 CVE-2026-24120 - Critical (9.8)\n\nvm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-24120/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-04T18:30:48.520546Z"} {"uuid": "7ecf264b-d3ca-42fb-b5f2-129d5e2e50aa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24120", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3ml2ckkquyt2l", "content": "\ud83d\udd34 CVE-2026-24120 - Critical (9.8)\n\nvm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-24120/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-04T18:30:48.520546Z"} https://vulnerability.circl.lu/sighting/7ecf264b-d3ca-42fb-b5f2-129d5e2e50aa/export Mon, 04 May 2026 18:30:48 +0000 https://vulnerability.circl.lu/sighting/d345441c-e8d0-401d-bfe3-f211bf1c5b28/export {"uuid": "d345441c-e8d0-401d-bfe3-f211bf1c5b28", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24120", "type": "seen", "source": "https://gist.github.com/alon710/f3beac366d11264132c16ea4f9f1b920", "content": "# CVE-2026-24120: CVE-2026-24120: Remote Code Execution via Promise Species Hijacking in vm2 Sandbox\n\n> **CVSS Score:** 9.8\n> **Published:** 2026-05-05\n> **Full Report:** https://cvereports.com/reports/CVE-2026-24120\n\n## Summary\nAn incomplete mitigation for a previous sandbox escape in the vm2 Node.js module allows attackers to execute arbitrary code on the host system. By manipulating Promise species and intercepting internal method calls via prototype pollution, attackers bypass sandbox protections and gain full host access.\n\n## TL;DR\nvm2 prior to version 3.10.5 contains a critical sandbox escape (CVSS 9.8). Attackers bypass internal security wrappers by overwriting Function.prototype.call and hijacking Promise creation, achieving unauthenticated remote code execution on the host system.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-94, CWE-693\n- **Attack Vector**: Network\n- **CVSS Score**: 9.8 (Critical)\n- **EPSS Score**: 0.00080 (23.22%)\n- **Exploit Status**: Proof of Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Node.js applications running vm2 versions < 3.10.5\n- **vm2**: < 3.10.5 (Fixed in: `3.10.5`)\n\n## Mitigation\n\n- Upgrade vm2 to version 3.10.5 immediately\n- Migrate to alternative isolation technologies (WebAssembly, Docker, Firecracker)\n- Implement strong EDR rules to detect child_process spawning from Node.js\n\n**Remediation Steps:**\n1. Identify all projects and transitive dependencies relying on vm2.\n2. Update package.json and lockfiles to enforce vm2 >= 3.10.5.\n3. Run unit and integration tests to ensure standard functionality remains unaffected by the update.\n4. Initiate an architectural review to deprecate usage of V8-based sandboxing for untrusted code execution.\n\n## References\n\n- [GitHub Release v3.10.5](https://github.com/patriksimek/vm2/releases/tag/v3.10.5)\n- [GitHub Security Advisory GHSA-qvjj-29qf-hp7p](https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p)\n- [Fix Commit 4b009c2d4b1131c01810c1205e641d614c322a29](https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29)\n- [Red Hot Cyber - Latest Critical Vulnerabilities Analysis](https://www.redhotcyber.com/en/latest-critical-vulnerabilities/)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-24120) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-05T16:40:29.000000Z"} {"uuid": "d345441c-e8d0-401d-bfe3-f211bf1c5b28", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24120", "type": "seen", "source": "https://gist.github.com/alon710/f3beac366d11264132c16ea4f9f1b920", "content": "# CVE-2026-24120: CVE-2026-24120: Remote Code Execution via Promise Species Hijacking in vm2 Sandbox\n\n> **CVSS Score:** 9.8\n> **Published:** 2026-05-05\n> **Full Report:** https://cvereports.com/reports/CVE-2026-24120\n\n## Summary\nAn incomplete mitigation for a previous sandbox escape in the vm2 Node.js module allows attackers to execute arbitrary code on the host system. By manipulating Promise species and intercepting internal method calls via prototype pollution, attackers bypass sandbox protections and gain full host access.\n\n## TL;DR\nvm2 prior to version 3.10.5 contains a critical sandbox escape (CVSS 9.8). Attackers bypass internal security wrappers by overwriting Function.prototype.call and hijacking Promise creation, achieving unauthenticated remote code execution on the host system.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-94, CWE-693\n- **Attack Vector**: Network\n- **CVSS Score**: 9.8 (Critical)\n- **EPSS Score**: 0.00080 (23.22%)\n- **Exploit Status**: Proof of Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Node.js applications running vm2 versions < 3.10.5\n- **vm2**: < 3.10.5 (Fixed in: `3.10.5`)\n\n## Mitigation\n\n- Upgrade vm2 to version 3.10.5 immediately\n- Migrate to alternative isolation technologies (WebAssembly, Docker, Firecracker)\n- Implement strong EDR rules to detect child_process spawning from Node.js\n\n**Remediation Steps:**\n1. Identify all projects and transitive dependencies relying on vm2.\n2. Update package.json and lockfiles to enforce vm2 >= 3.10.5.\n3. Run unit and integration tests to ensure standard functionality remains unaffected by the update.\n4. Initiate an architectural review to deprecate usage of V8-based sandboxing for untrusted code execution.\n\n## References\n\n- [GitHub Release v3.10.5](https://github.com/patriksimek/vm2/releases/tag/v3.10.5)\n- [GitHub Security Advisory GHSA-qvjj-29qf-hp7p](https://github.com/patriksimek/vm2/security/advisories/GHSA-qvjj-29qf-hp7p)\n- [Fix Commit 4b009c2d4b1131c01810c1205e641d614c322a29](https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29)\n- [Red Hot Cyber - Latest Critical Vulnerabilities Analysis](https://www.redhotcyber.com/en/latest-critical-vulnerabilities/)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-24120) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-05T16:40:29.000000Z"} https://vulnerability.circl.lu/sighting/d345441c-e8d0-401d-bfe3-f211bf1c5b28/export Tue, 05 May 2026 16:40:29 +0000 https://vulnerability.circl.lu/sighting/cb808edf-b6ef-408d-bb66-b1d07a22ddb7/export {"uuid": "cb808edf-b6ef-408d-bb66-b1d07a22ddb7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24120", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3mlicivo2zc2f", "content": "\ud83d\udccc CVE-2026-24120 - vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing att... https://www.cyberhub.blog/cves/CVE-2026-24120", "creation_timestamp": "2026-05-10T08:07:08.032653Z"} {"uuid": "cb808edf-b6ef-408d-bb66-b1d07a22ddb7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24120", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3mlicivo2zc2f", "content": "\ud83d\udccc CVE-2026-24120 - vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing att... https://www.cyberhub.blog/cves/CVE-2026-24120", "creation_timestamp": "2026-05-10T08:07:08.032653Z"} https://vulnerability.circl.lu/sighting/cb808edf-b6ef-408d-bb66-b1d07a22ddb7/export Sun, 10 May 2026 08:07:08 +0000 https://vulnerability.circl.lu/sighting/84776f57-1c5f-427d-959b-925df173b692/export {"uuid": "84776f57-1c5f-427d-959b-925df173b692", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24120", "type": "seen", "source": "https://t.me/bdufstecru/3152", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 resetPromiseSpecies() \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 vm2 \u043f\u0430\u043a\u0435\u0442\u043d\u043e\u0433\u043e \u043c\u0435\u043d\u0435\u0434\u0436\u0435\u0440\u0430 NPM \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0432\u0435\u0440\u043d\u044b\u043c \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0435\u0439 \u043a\u043e\u0434\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u0431\u043e\u0439\u0442\u0438 \u0437\u0430\u0449\u0438\u0442\u043d\u044b\u0439 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c \u043f\u0435\u0441\u043e\u0447\u043d\u0438\u0446\u044b \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b\n\nBDU:2026-06464\nCVE-2026-24120\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://github.com/patriksimek/vm2/releases/tag/v3.10.5", "creation_timestamp": "2026-05-12T14:15:48.000000Z"} {"uuid": "84776f57-1c5f-427d-959b-925df173b692", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-24120", "type": "seen", "source": "https://t.me/bdufstecru/3152", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0444\u0443\u043d\u043a\u0446\u0438\u0438 resetPromiseSpecies() \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 vm2 \u043f\u0430\u043a\u0435\u0442\u043d\u043e\u0433\u043e \u043c\u0435\u043d\u0435\u0434\u0436\u0435\u0440\u0430 NPM \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0432\u0435\u0440\u043d\u044b\u043c \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u0435\u043c \u0433\u0435\u043d\u0435\u0440\u0430\u0446\u0438\u0435\u0439 \u043a\u043e\u0434\u0430. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u0431\u043e\u0439\u0442\u0438 \u0437\u0430\u0449\u0438\u0442\u043d\u044b\u0439 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c \u043f\u0435\u0441\u043e\u0447\u043d\u0438\u0446\u044b \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b\n\nBDU:2026-06464\nCVE-2026-24120\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://github.com/patriksimek/vm2/releases/tag/v3.10.5", "creation_timestamp": "2026-05-12T14:15:48.000000Z"} https://vulnerability.circl.lu/sighting/84776f57-1c5f-427d-959b-925df173b692/export Tue, 12 May 2026 14:15:48 +0000